Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RqYh.exe

Overview

General Information

Sample name:RqYh.exe
Analysis ID:1501378
MD5:4b487f91d2504883b4c9df18848af5ef
SHA1:964e913b8b4cba2232e46b3fe0b73b1c009bed7d
SHA256:f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607
Tags:exeremcosrat
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RqYh.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\RqYh.exe" MD5: 4B487F91D2504883B4C9DF18848AF5EF)
    • powershell.exe (PID: 7712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7196 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7788 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 7964 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • remcos.exe (PID: 8036 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • oJSnAkAh.exe (PID: 8096 cmdline: C:\Users\user\AppData\Roaming\oJSnAkAh.exe MD5: 4B487F91D2504883B4C9DF18848AF5EF)
    • schtasks.exe (PID: 4948 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 980 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • remcos.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • remcos.exe (PID: 5040 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • remcos.exe (PID: 7888 cmdline: "C:\ProgramData\Remcos\remcos.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • remcos.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Roaming\Remcos\remcos.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "rodri.selfip.net:50019:1racindjah.blogdns.com:50066:1", "Assigned name": "Htexte", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-B6J50C", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "journaux.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Captures dcran", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6ad10:$a1: Remcos restarted by watchdog!
        • 0x6b288:$a3: %02i:%02i:%02i:%03i
        00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.MSBuild.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            8.2.MSBuild.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              8.2.MSBuild.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                8.2.MSBuild.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6aab8:$a1: Remcos restarted by watchdog!
                • 0x6b030:$a3: %02i:%02i:%02i:%03i
                8.2.MSBuild.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64b7c:$str_b2: Executing file:
                • 0x65bfc:$str_b3: GetDirectListeningPort
                • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x65728:$str_b7: \update.vbs
                • 0x64ba4:$str_b9: Downloaded file:
                • 0x64b90:$str_b10: Downloading file:
                • 0x64c34:$str_b12: Failed to upload file:
                • 0x65bc4:$str_b13: StartForward
                • 0x65be4:$str_b14: StopForward
                • 0x65680:$str_b15: fso.DeleteFile "
                • 0x65614:$str_b16: On Error Resume Next
                • 0x656b0:$str_b17: fso.DeleteFolder "
                • 0x64c24:$str_b18: Uploaded file:
                • 0x64be4:$str_b19: Unable to delete:
                • 0x65648:$str_b20: while fso.FileExists("
                • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 34 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RqYh.exe", ParentImage: C:\Users\user\Desktop\RqYh.exe, ParentProcessId: 7516, ParentProcessName: RqYh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", ProcessId: 7712, ProcessName: powershell.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7964, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RqYh.exe", ParentImage: C:\Users\user\Desktop\RqYh.exe, ParentProcessId: 7516, ParentProcessName: RqYh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", ProcessId: 7712, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\oJSnAkAh.exe, ParentImage: C:\Users\user\AppData\Roaming\oJSnAkAh.exe, ParentProcessId: 8096, ParentProcessName: oJSnAkAh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp", ProcessId: 4948, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RqYh.exe", ParentImage: C:\Users\user\Desktop\RqYh.exe, ParentProcessId: 7516, ParentProcessName: RqYh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp", ProcessId: 7788, ProcessName: schtasks.exe
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Remcos\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7964, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-B6J50C
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RqYh.exe", ParentImage: C:\Users\user\Desktop\RqYh.exe, ParentProcessId: 7516, ParentProcessName: RqYh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe", ProcessId: 7712, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RqYh.exe", ParentImage: C:\Users\user\Desktop\RqYh.exe, ParentProcessId: 7516, ParentProcessName: RqYh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp", ProcessId: 7788, ProcessName: schtasks.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.RqYh.exe.4e45258.2.raw.unpackMalware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "rodri.selfip.net:50019:1racindjah.blogdns.com:50066:1", "Assigned name": "Htexte", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-B6J50C", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "journaux.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Captures dcran", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeReversingLabs: Detection: 63%
                Multi AV Scanner detection for submitted file
                Source: RqYh.exeReversingLabs: Detection: 63%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: RqYh.exeJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                Source: RqYh.exe, 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_04e63f20-6

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                Source: RqYh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RqYh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RqYh.pdb source: RqYh.exe, oJSnAkAh.exe.0.dr
                Source: Binary string: RqYh.pdbSHA256 source: RqYh.exe, oJSnAkAh.exe.0.dr
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 4x nop then jmp 07B07297h0_2_07B0756D
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_07D747A0
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 4x nop then jmp 07526537h11_2_0752680D

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: rodri.selfip.net
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                Source: unknownTCP traffic detected without corresponding DNS query: 87.248.205.0
                Source: unknownTCP traffic detected without corresponding DNS query: 87.248.205.0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_0041B411
                Source: MSBuild.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: RqYh.exe, 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, RqYh.exe, 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: remcos.exe, 00000012.00000002.1781846923.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                Source: RqYh.exe, 00000000.00000002.1698198829.0000000003321000.00000004.00000800.00020000.00000000.sdmp, oJSnAkAh.exe, 0000000B.00000002.1747970715.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmp, RqYh.exe, 00000000.00000002.1706001829.0000000005C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A41B
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_0161EF240_2_0161EF24
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B036E80_2_07B036E8
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B036D70_2_07B036D7
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B015380_2_07B01538
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B02D380_2_07B02D38
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B02D280_2_07B02D28
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B00CC80_2_07B00CC8
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B011000_2_07B01100
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B099480_2_07B09948
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B010F10_2_07B010F1
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07D8AE2C0_2_07D8AE2C
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_091D32040_2_091D3204
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_091D20800_2_091D2080
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_091DB3F00_2_091DB3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043706A8_2_0043706A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004140058_2_00414005
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043E11C8_2_0043E11C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004541D98_2_004541D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004381E88_2_004381E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041F18B8_2_0041F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004462708_2_00446270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043E34B8_2_0043E34B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004533AB8_2_004533AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0042742E8_2_0042742E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004375668_2_00437566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043E5A88_2_0043E5A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004387F08_2_004387F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043797E8_2_0043797E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004339D78_2_004339D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0044DA498_2_0044DA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00427AD78_2_00427AD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041DBF38_2_0041DBF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00427C408_2_00427C40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00437DB38_2_00437DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00435EEB8_2_00435EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043DEED8_2_0043DEED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00426E9F8_2_00426E9F
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_012527889_2_01252788
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 9_2_01255A419_2_01255A41
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_014BEF2411_2_014BEF24
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_031D000611_2_031D0006
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_031D004011_2_031D0040
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_075236D711_2_075236D7
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_075236E811_2_075236E8
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_0752153811_2_07521538
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_07522D3811_2_07522D38
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_07522D2811_2_07522D28
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_07520CC811_2_07520CC8
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_07528BE811_2_07528BE8
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_0752110011_2_07521100
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeCode function: 11_2_075210F111_2_075210F1
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 16_2_02515A4116_2_02515A41
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 16_2_0251278816_2_02512788
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 16_2_02511CC016_2_02511CC0
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 18_2_02D95A4118_2_02D95A41
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 18_2_02D9278818_2_02D92788
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 21_2_01821CC021_2_01821CC0
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 21_2_0182278821_2_01822788
                Source: C:\ProgramData\Remcos\remcos.exeCode function: 21_2_01825A4121_2_01825A41
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 25_2_0164278825_2_01642788
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeCode function: 25_2_01645A4125_2_01645A41
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00401E65 appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00434E70 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00434801 appears 41 times
                Source: RqYh.exe, 00000000.00000002.1698198829.000000000344D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RqYh.exe
                Source: RqYh.exe, 00000000.00000002.1698198829.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RqYh.exe
                Source: RqYh.exe, 00000000.00000002.1708857327.00000000097C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RqYh.exe
                Source: RqYh.exe, 00000000.00000002.1696862278.00000000016FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RqYh.exe
                Source: RqYh.exe, 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RqYh.exe
                Source: RqYh.exe, 00000000.00000002.1707209393.0000000007A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs RqYh.exe
                Source: RqYh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: RqYh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: oJSnAkAh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: remcos.exe.8.dr, TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                Source: remcos.exe.8.dr, OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                Source: remcos.exe.8.dr, TaskLoader.csTask registration methods: 'CreateTask'
                Source: remcos.exe.8.dr, RegisteredTaskObjectCacheBase.csTask registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, Hp3DW4tRyHZpHkAyEn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: remcos.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                Source: remcos.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                Source: remcos.exe.8.dr, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: remcos.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: remcos.exe.8.dr, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, bZjvu6ogLdvCcF21PH.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, bZjvu6ogLdvCcF21PH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, bZjvu6ogLdvCcF21PH.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, Hp3DW4tRyHZpHkAyEn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, bZjvu6ogLdvCcF21PH.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, bZjvu6ogLdvCcF21PH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, bZjvu6ogLdvCcF21PH.csSecurity API names: _0020.AddAccessRule
                Source: remcos.exe, 00000010.00000002.1736735017.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\*.sln
                Source: remcos.exe, 00000019.00000002.1943212284.00000000030E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $fq+C:\Users\user\AppData\Roaming\Remcos\*.sln
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                Source: remcos.exe, 00000009.00000002.1693578493.0000000002C11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\*.sln
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                Source: remcos.exe, 00000012.00000002.1781846923.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000015.00000002.1861501740.000000000141A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\ProgramData\Remcos\<.sln
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe, 00000009.00000002.1693578493.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1732959926.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000010.00000002.1736735017.0000000002741000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000012.00000002.1784580977.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000015.00000002.1862722181.0000000003281000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000019.00000002.1943212284.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: *.sln
                Source: remcos.exe, 00000010.00000002.1735188483.0000000000A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\system32\<.slndlu
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: /ignoreprojectextensions:.sln
                Source: remcos.exe, 00000012.00000002.1784580977.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000015.00000002.1862722181.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Remcos\*.sln
                Source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                Source: MSBuild.exe, 0000000F.00000002.1732959926.0000000000CC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MEOUT.sln
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@31/23@0/0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F4AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                Source: C:\Users\user\Desktop\RqYh.exeFile created: C:\Users\user\AppData\Roaming\oJSnAkAh.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-B6J50C
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMutant created: \Sessions\1\BaseNamedObjects\FHNjBrXmaHJRtAi
                Source: C:\Users\user\Desktop\RqYh.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA5C1.tmpJump to behavior
                Source: RqYh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: RqYh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\RqYh.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RqYh.exeReversingLabs: Detection: 63%
                Source: C:\Users\user\Desktop\RqYh.exeFile read: C:\Users\user\Desktop\RqYh.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RqYh.exe "C:\Users\user\Desktop\RqYh.exe"
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\oJSnAkAh.exe C:\Users\user\AppData\Roaming\oJSnAkAh.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
                Source: C:\ProgramData\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: twext.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: acppage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: propsys.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: apphelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: twext.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: appresolver.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: slc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sppc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: policymanager.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntshrui.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.fileexplorer.common.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cscapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: shacct.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: textshaping.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: idstore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: samlib.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: starttiledata.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: acppage.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: aepic.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wlidprov.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: samcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: provsvc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: mscoree.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: kernel.appcore.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: version.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\ProgramData\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\Desktop\RqYh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\RqYh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: RqYh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RqYh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: RqYh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: RqYh.pdb source: RqYh.exe, oJSnAkAh.exe.0.dr
                Source: Binary string: RqYh.pdbSHA256 source: RqYh.exe, oJSnAkAh.exe.0.dr
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: remcos.exe, 00000009.00000000.1678232490.0000000000892000.00000002.00000001.01000000.0000000C.sdmp, remcos.exe.8.dr, remcos.exe.15.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: RqYh.exe, Form1.cs.Net Code: InitializeComponent
                Source: oJSnAkAh.exe.0.dr, Form1.cs.Net Code: InitializeComponent
                Source: 0.2.RqYh.exe.336e8e0.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RqYh.exe.335c8ac.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RqYh.exe.7a40000.5.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, bZjvu6ogLdvCcF21PH.cs.Net Code: fxi5l7RlTT System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, bZjvu6ogLdvCcF21PH.cs.Net Code: fxi5l7RlTT System.Reflection.Assembly.Load(byte[])
                Source: 11.2.oJSnAkAh.exe.325e928.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 11.2.oJSnAkAh.exe.324c8f4.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: RqYh.exeStatic PE information: 0x8EFCCA35 [Sun Jan 7 09:51:49 2046 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_058BE4EB push eax; mov dword ptr [esp], ecx0_2_058BE424
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_058BE413 push eax; mov dword ptr [esp], ecx0_2_058BE424
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_058BEF00 push eax; ret 0_2_058BEF33
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B0558A push esp; ret 0_2_07B05591
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B05D10 push esp; retf 0_2_07B05D11
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_07B06168 pushad ; iretd 0_2_07B06169
                Source: C:\Users\user\Desktop\RqYh.exeCode function: 0_2_091DA113 push FFFFFFFCh; ret 0_2_091DA115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                Source: RqYh.exeStatic PE information: section name: .text entropy: 7.8367429863866045
                Source: oJSnAkAh.exe.0.drStatic PE information: section name: .text entropy: 7.8367429863866045
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, FX91hPPvDuY67JCDpC.csHigh entropy of concatenated method names: 'Dk1fJKgqWe', 'ChIft2NNo8', 'QjsIXvJlel', 'jdOI4D7B2W', 'lcAfnPXCyI', 'YnYfjaEcMQ', 'Id1fcoXNuG', 'M4ifyF2Scu', 'WJpfoaB72x', 'jmAfaOihuo'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, k1vsj0mbIh1ib04Hs0.csHigh entropy of concatenated method names: 'ng1TY9Me42', 'Ve9TLXfD30', 'abeTUqIDWn', 'igvTFSbQTT', 'CR7Ti3vO92', 'l82T3VvbIg', 'vmjTbX0ZDv', 'X8rTrk5hVJ', 'B6UTM8J8ol', 'WNHTnkme7P'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, XnlZxwIq3DsMw3TDrq.csHigh entropy of concatenated method names: 'pe0496irXP', 'oTZ4qLMeBj', 'OQW4BwDlK6', 'Qk44ZZG1SF', 'iXS4AbFDKh', 'bjg4wXZ1aO', 'QDtGSWay9XeihJOqKk', 'bbTefFYYM5kfvLhLdu', 'DpE44BK7P5', 'fIC4eggeC0'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, x3QhDEZrhvUmcLMAxs.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'aHhKEJ3BH9', 'DYTKtwxRkk', 'x7SKzjLqYO', 'upaeXDItiq', 'UGUe4Co63e', 'hFTeK5jiqC', 'br0eeOeAoB', 'hqk9kQq2nw8ykCd5ENM'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, iduGryXJjk4y97UIkh.csHigh entropy of concatenated method names: 'xQAlR8yDK', 'NVpxRNV1h', 'wdXDkyLE8', 'p2BpL04US', 'eU3L5behk', 'oUhRO91pP', 'trqPnuTHvDcZB4PW2o', 'ecgvJnPPlHwRd4qM4f', 'NADIXNUFE', 'cC0NhiUjf'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, QfAacVVnbju26sLeuK.csHigh entropy of concatenated method names: 'ToString', 'DfnwnWpsOO', 'AukwFXmhFy', 'JaWwOmX7UK', 'rlGwia6yt3', 'xsgw3GCDGc', 'D17w0iwZmA', 'k5uwb4apA2', 'I5DwrH6kEP', 'IbZw6XAQmm'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, zg8lgKCXDPpwIjL0ONQ.csHigh entropy of concatenated method names: 'HiONk9Gr6R', 'za6NgaBxVI', 'P6tNlmlQ4u', 'UPMnMS2lEBGywMcstu2', 'FvfBda2n7TvpXpROstJ', 'hZbf832LZviSK24qDWf', 'kgr2dS2N11m24cY5F29'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, wMnYsqCEWOR2mVPlboH.csHigh entropy of concatenated method names: 'DRiCkHlOd7', 'OtXCgdooE4', 'WfoClScMt5', 'cLpCxBMFO7', 'elxCSRkf06', 'bdTCDWHaS8', 'APuCpAw3sj', 'NdYCYxFE51', 'RlhCLkeaeQ', 'I3BCRMSkIk'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, gxjM1iTYTvE1QoCgjB.csHigh entropy of concatenated method names: 'g8ms8aGH8w', 'PIDskh1ITd', 'NnmslcytiK', 'tHUsxjhE10', 'MeXsDS9NSb', 'VZjspMbIlK', 'PetsL26uOx', 'CjwsROXAtA', 'xZgwsa6uWZfxjKu0cF3', 'RvuNv46Drqost4V5vH0'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, qSrQvAzph7q1Whwtdf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nACCT9R5uW', 'V7pCAy1DE3', 'DVECw22oZx', 'mRJCfEN7Xj', 'QuRCIg03BZ', 'LHXCCfcom5', 'MUTCNocNKy'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, TX2IUJqCKXcOF4SyiC.csHigh entropy of concatenated method names: 'HuVIvupng4', 'PqsIWYp6mU', 'h5fIdjtjCJ', 'qWeIGDrSFO', 'gpyIsskj77', 'xUcI9YiGWK', 'BjlIq6f8j0', 'cMGIPpWjQ6', 'uuZIBMlFXM', 'z11IZ09TgZ'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, E5vCNONIagGCodtbCT.csHigh entropy of concatenated method names: 'iUyC4ia7ir', 'UkrCelLsY8', 'MvqC5R5tkd', 'E4aCvesZYB', 'aTeCWDuoqr', 'qq5CGTuryc', 'KsnCs5pR2O', 'zWnI1PLprM', 'kVNIJNHS6o', 'xoQIElZWHK'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, wtPXA6aOi4yQVtHt1q.csHigh entropy of concatenated method names: 'awCGSUcK6D', 'QHZGp6Id5x', 'KHEdO1Rk2G', 'qIydiLbomm', 'tt6d3dJdYm', 'lNAd0YtK1V', 'Ugqdbrp9mf', 'IbSdr8J7Ta', 'k5yd6nLRJA', 'lfGdMN1OZW'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, syQhsdAea9794eGoBQ.csHigh entropy of concatenated method names: 'n1x9vPUA16', 'AvB9dOa96b', 'wTu9sme9I6', 'YRJstQTq8d', 'fuSszs2BEd', 'k4U9XIQY3s', 'l6094xi7kn', 'EVZ9K9oE44', 'KEo9egR4ZE', 'F7J95hqvaE'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, Hp3DW4tRyHZpHkAyEn.csHigh entropy of concatenated method names: 'S6aWyp7JWu', 'r4hWo0nSNG', 'P4pWaax7md', 'IiqWu7pRu3', 'HGuWQbR9FF', 's2gWHTYoqR', 'ziqW16AvQa', 'MwDWJdWbbn', 'SFMWEKOywy', 'B91WtGeYW7'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, baOPoorYqtBoNHlJt1.csHigh entropy of concatenated method names: 'hGOIUTS1T4', 'dBiIFUFZpq', 'flBIOdPDrE', 'I7DIiOKAqq', 'nDeIycNflg', 'NpwI3S9LmO', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, bcw165b0GR7c6woeMl.csHigh entropy of concatenated method names: 'YfXsmECUOv', 'R59sW4tTTj', 's5asGK5l5V', 'RRLs94fi5o', 'QwGsq7gmVL', 'UoBGQMObey', 'aajGHbBR0N', 'SoNG135AU5', 'ObjGJSLuCx', 'lQbGEqkgbP'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, HEKf6OHgT1w5yD5Wow.csHigh entropy of concatenated method names: 'ynKAMmTunq', 'AeSAj1yXpX', 'gwkAyRKyNs', 'E8HAoMEIF6', 'pB0AFG96SJ', 'jRbAOa9bTR', 'cxsAiRM4wR', 'ktPA3ZU8Z6', 'hpfA0IiY7C', 'kyOAbV8iQc'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, kU4Ur1G8FZeWCKueMv.csHigh entropy of concatenated method names: 'Dispose', 'Ipx4EZimtD', 'NUaKFLKgw9', 'eaXVVYbOcm', 'HjV4tXrMWv', 'Cwk4z2sfmO', 'ProcessDialogKey', 'BFSKXyL6Tc', 'MMLK4DZ08n', 'o2TKKNwp4J'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, PHATayJh2BUMUnwRvJ.csHigh entropy of concatenated method names: 'ylLdx7YsiW', 'Jb9dDPb07l', 'eV8dYj8aqa', 'AWBdLbH2HB', 'NgDdAvy1AG', 'aO1dwi47hC', 'rfkdf25x29', 'jf6dITl7PP', 'ugMdCgJ4tN', 'sALdNC20jN'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, qllPUTcVpuQt0wLl8Y.csHigh entropy of concatenated method names: 'Uq89kafohO', 'GP39gayiSs', 'uac9lQdhiP', 'MPp9x9oJCM', 'c4Y9SjJaUS', 'tt49DxPp6T', 'URL9pKaCR1', 'kks9YCkqS7', 'KXE9LEhDl6', 'rko9RjNp3T'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, bZjvu6ogLdvCcF21PH.csHigh entropy of concatenated method names: 'ERKemxhjoY', 'UgQevUMZ68', 'T7KeWHMYoL', 'pVmedy6LEY', 'S12eGj03AV', 'iRuesbx4pq', 'v3Ue9rhAZZ', 'lQueqr8KND', 'cvFeP9wAB4', 'okEeBY3mDP'
                Source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, flLDcNCp6dCbeE13wiO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UmyNyZJcDM', 'fJuNoF7wua', 'OugNaJHhdk', 'udSNuE7cnu', 'vVINQJi117', 'udvNHwr2Hb', 'OQeN1sYPqP'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, FX91hPPvDuY67JCDpC.csHigh entropy of concatenated method names: 'Dk1fJKgqWe', 'ChIft2NNo8', 'QjsIXvJlel', 'jdOI4D7B2W', 'lcAfnPXCyI', 'YnYfjaEcMQ', 'Id1fcoXNuG', 'M4ifyF2Scu', 'WJpfoaB72x', 'jmAfaOihuo'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, k1vsj0mbIh1ib04Hs0.csHigh entropy of concatenated method names: 'ng1TY9Me42', 'Ve9TLXfD30', 'abeTUqIDWn', 'igvTFSbQTT', 'CR7Ti3vO92', 'l82T3VvbIg', 'vmjTbX0ZDv', 'X8rTrk5hVJ', 'B6UTM8J8ol', 'WNHTnkme7P'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, XnlZxwIq3DsMw3TDrq.csHigh entropy of concatenated method names: 'pe0496irXP', 'oTZ4qLMeBj', 'OQW4BwDlK6', 'Qk44ZZG1SF', 'iXS4AbFDKh', 'bjg4wXZ1aO', 'QDtGSWay9XeihJOqKk', 'bbTefFYYM5kfvLhLdu', 'DpE44BK7P5', 'fIC4eggeC0'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, x3QhDEZrhvUmcLMAxs.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'aHhKEJ3BH9', 'DYTKtwxRkk', 'x7SKzjLqYO', 'upaeXDItiq', 'UGUe4Co63e', 'hFTeK5jiqC', 'br0eeOeAoB', 'hqk9kQq2nw8ykCd5ENM'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, iduGryXJjk4y97UIkh.csHigh entropy of concatenated method names: 'xQAlR8yDK', 'NVpxRNV1h', 'wdXDkyLE8', 'p2BpL04US', 'eU3L5behk', 'oUhRO91pP', 'trqPnuTHvDcZB4PW2o', 'ecgvJnPPlHwRd4qM4f', 'NADIXNUFE', 'cC0NhiUjf'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, QfAacVVnbju26sLeuK.csHigh entropy of concatenated method names: 'ToString', 'DfnwnWpsOO', 'AukwFXmhFy', 'JaWwOmX7UK', 'rlGwia6yt3', 'xsgw3GCDGc', 'D17w0iwZmA', 'k5uwb4apA2', 'I5DwrH6kEP', 'IbZw6XAQmm'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, zg8lgKCXDPpwIjL0ONQ.csHigh entropy of concatenated method names: 'HiONk9Gr6R', 'za6NgaBxVI', 'P6tNlmlQ4u', 'UPMnMS2lEBGywMcstu2', 'FvfBda2n7TvpXpROstJ', 'hZbf832LZviSK24qDWf', 'kgr2dS2N11m24cY5F29'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, wMnYsqCEWOR2mVPlboH.csHigh entropy of concatenated method names: 'DRiCkHlOd7', 'OtXCgdooE4', 'WfoClScMt5', 'cLpCxBMFO7', 'elxCSRkf06', 'bdTCDWHaS8', 'APuCpAw3sj', 'NdYCYxFE51', 'RlhCLkeaeQ', 'I3BCRMSkIk'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, gxjM1iTYTvE1QoCgjB.csHigh entropy of concatenated method names: 'g8ms8aGH8w', 'PIDskh1ITd', 'NnmslcytiK', 'tHUsxjhE10', 'MeXsDS9NSb', 'VZjspMbIlK', 'PetsL26uOx', 'CjwsROXAtA', 'xZgwsa6uWZfxjKu0cF3', 'RvuNv46Drqost4V5vH0'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, qSrQvAzph7q1Whwtdf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nACCT9R5uW', 'V7pCAy1DE3', 'DVECw22oZx', 'mRJCfEN7Xj', 'QuRCIg03BZ', 'LHXCCfcom5', 'MUTCNocNKy'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, TX2IUJqCKXcOF4SyiC.csHigh entropy of concatenated method names: 'HuVIvupng4', 'PqsIWYp6mU', 'h5fIdjtjCJ', 'qWeIGDrSFO', 'gpyIsskj77', 'xUcI9YiGWK', 'BjlIq6f8j0', 'cMGIPpWjQ6', 'uuZIBMlFXM', 'z11IZ09TgZ'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, E5vCNONIagGCodtbCT.csHigh entropy of concatenated method names: 'iUyC4ia7ir', 'UkrCelLsY8', 'MvqC5R5tkd', 'E4aCvesZYB', 'aTeCWDuoqr', 'qq5CGTuryc', 'KsnCs5pR2O', 'zWnI1PLprM', 'kVNIJNHS6o', 'xoQIElZWHK'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, wtPXA6aOi4yQVtHt1q.csHigh entropy of concatenated method names: 'awCGSUcK6D', 'QHZGp6Id5x', 'KHEdO1Rk2G', 'qIydiLbomm', 'tt6d3dJdYm', 'lNAd0YtK1V', 'Ugqdbrp9mf', 'IbSdr8J7Ta', 'k5yd6nLRJA', 'lfGdMN1OZW'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, syQhsdAea9794eGoBQ.csHigh entropy of concatenated method names: 'n1x9vPUA16', 'AvB9dOa96b', 'wTu9sme9I6', 'YRJstQTq8d', 'fuSszs2BEd', 'k4U9XIQY3s', 'l6094xi7kn', 'EVZ9K9oE44', 'KEo9egR4ZE', 'F7J95hqvaE'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, Hp3DW4tRyHZpHkAyEn.csHigh entropy of concatenated method names: 'S6aWyp7JWu', 'r4hWo0nSNG', 'P4pWaax7md', 'IiqWu7pRu3', 'HGuWQbR9FF', 's2gWHTYoqR', 'ziqW16AvQa', 'MwDWJdWbbn', 'SFMWEKOywy', 'B91WtGeYW7'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, baOPoorYqtBoNHlJt1.csHigh entropy of concatenated method names: 'hGOIUTS1T4', 'dBiIFUFZpq', 'flBIOdPDrE', 'I7DIiOKAqq', 'nDeIycNflg', 'NpwI3S9LmO', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, bcw165b0GR7c6woeMl.csHigh entropy of concatenated method names: 'YfXsmECUOv', 'R59sW4tTTj', 's5asGK5l5V', 'RRLs94fi5o', 'QwGsq7gmVL', 'UoBGQMObey', 'aajGHbBR0N', 'SoNG135AU5', 'ObjGJSLuCx', 'lQbGEqkgbP'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, HEKf6OHgT1w5yD5Wow.csHigh entropy of concatenated method names: 'ynKAMmTunq', 'AeSAj1yXpX', 'gwkAyRKyNs', 'E8HAoMEIF6', 'pB0AFG96SJ', 'jRbAOa9bTR', 'cxsAiRM4wR', 'ktPA3ZU8Z6', 'hpfA0IiY7C', 'kyOAbV8iQc'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, kU4Ur1G8FZeWCKueMv.csHigh entropy of concatenated method names: 'Dispose', 'Ipx4EZimtD', 'NUaKFLKgw9', 'eaXVVYbOcm', 'HjV4tXrMWv', 'Cwk4z2sfmO', 'ProcessDialogKey', 'BFSKXyL6Tc', 'MMLK4DZ08n', 'o2TKKNwp4J'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, PHATayJh2BUMUnwRvJ.csHigh entropy of concatenated method names: 'ylLdx7YsiW', 'Jb9dDPb07l', 'eV8dYj8aqa', 'AWBdLbH2HB', 'NgDdAvy1AG', 'aO1dwi47hC', 'rfkdf25x29', 'jf6dITl7PP', 'ugMdCgJ4tN', 'sALdNC20jN'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, qllPUTcVpuQt0wLl8Y.csHigh entropy of concatenated method names: 'Uq89kafohO', 'GP39gayiSs', 'uac9lQdhiP', 'MPp9x9oJCM', 'c4Y9SjJaUS', 'tt49DxPp6T', 'URL9pKaCR1', 'kks9YCkqS7', 'KXE9LEhDl6', 'rko9RjNp3T'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, bZjvu6ogLdvCcF21PH.csHigh entropy of concatenated method names: 'ERKemxhjoY', 'UgQevUMZ68', 'T7KeWHMYoL', 'pVmedy6LEY', 'S12eGj03AV', 'iRuesbx4pq', 'v3Ue9rhAZZ', 'lQueqr8KND', 'cvFeP9wAB4', 'okEeBY3mDP'
                Source: 0.2.RqYh.exe.97c0000.6.raw.unpack, flLDcNCp6dCbeE13wiO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UmyNyZJcDM', 'fJuNoF7wua', 'OugNaJHhdk', 'udSNuE7cnu', 'vVINQJi117', 'udvNHwr2Hb', 'OQeN1sYPqP'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file
                Source: C:\Users\user\Desktop\RqYh.exeFile created: C:\Users\user\AppData\Roaming\oJSnAkAh.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\Remcos\remcos.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\ProgramData\Remcos\remcos.exeJump to dropped file

                Boot Survival

                barindex
                Creates autostart registry keys with suspicious names
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50C
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50CJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50CJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50CJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50CJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50C

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: oJSnAkAh.exe PID: 8096, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: 5320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: 9980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: A980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: ABA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: BBA0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 1250000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: 5210000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: 9300000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: A300000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: A500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: B500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 24D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 2740000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 2540000 memory reserve | memory write watch
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2BA0000 memory reserve | memory write watch
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2E70000 memory reserve | memory write watch
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 2BA0000 memory reserve | memory write watch
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 1820000 memory reserve | memory write watch
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 3280000 memory reserve | memory write watch
                Source: C:\ProgramData\Remcos\remcos.exeMemory allocated: 30C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 1640000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 30E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeMemory allocated: 50E0000 memory reserve | memory write watch
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                Source: C:\Users\user\Desktop\RqYh.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4024Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3779Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 407Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeEvaded block: after key decisiongraph_8-47095
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeEvaded block: after key decisiongraph_8-47069
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 6.6 %
                Source: C:\Users\user\Desktop\RqYh.exe TID: 7536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exe TID: 8088Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exe TID: 7208Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 7328Thread sleep time: -922337203685477s >= -30000s
                Source: C:\ProgramData\Remcos\remcos.exe TID: 7892Thread sleep time: -922337203685477s >= -30000s
                Source: C:\ProgramData\Remcos\remcos.exe TID: 7936Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                Source: C:\Users\user\Desktop\RqYh.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\ProgramData\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004120B2 GetProcessHeap,HeapFree,8_2_004120B2
                Source: C:\Users\user\Desktop\RqYh.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe"
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe"
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\RqYh.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 459000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 471000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 477000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 478000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 479000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47E000Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9C2008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 459000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 471000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 477000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 478000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 479000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47E000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9CE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00419662 mouse_event,8_2_00419662
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Users\user\AppData\Roaming\Remcos\remcos.exe "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00434CB6 cpuid 8_2_00434CB6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_0045201B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_004520B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,8_2_00452393
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_00448484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,8_2_004525C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,8_2_0044896D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoA,8_2_0040F90C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Users\user\Desktop\RqYh.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RqYh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeQueries volume information: C:\Users\user\AppData\Roaming\oJSnAkAh.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oJSnAkAh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Remcos\remcos.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\ProgramData\Remcos\remcos.exe VolumeInformation
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                Source: C:\ProgramData\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Users\user\AppData\Roaming\Remcos\remcos.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,8_2_0041A045
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041B69E GetUserNameW,8_2_0041B69E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_0044942D
                Source: C:\Users\user\Desktop\RqYh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \key3.db8_2_0040BB6B

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-B6J50CJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-B6J50C
                Yara detected Remcos RAT
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.457dcb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.4e45258.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RqYh.exe.44c3c90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RqYh.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7964, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: cmd.exe8_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		22
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts11
                Scheduled Task/Job                		11
                Scheduled Task/Job                		1
                Access Token Manipulation                		4
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		11
                Registry Run Keys / Startup Folder                		1
                Windows Service                		12
                Software Packing                		NTDS4
                File and Directory Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script321
                Process Injection                		1
                Timestomp                		LSA Secrets33
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                Scheduled Task/Job                		1
                DLL Side-Loading                		Cached Domain Credentials12
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                Registry Run Keys / Startup Folder                		1
                Bypass User Account Control                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Masquerading                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Access Token Manipulation                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd321
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501378 Sample: RqYh.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 9 other signatures 2->74 8 RqYh.exe 7 2->8         started        12 oJSnAkAh.exe 5 2->12         started        14 remcos.exe 2->14         started        16 2 other processes 2->16 process3 file4 60 C:\Users\user\AppData\Roaming\oJSnAkAh.exe, PE32 8->60 dropped 62 C:\Users\...\oJSnAkAh.exe:Zone.Identifier, ASCII 8->62 dropped 64 C:\Users\user\AppData\Local\...\tmpA5C1.tmp, XML 8->64 dropped 66 C:\Users\user\AppData\Local\...\RqYh.exe.log, ASCII 8->66 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 8->88 90 Writes to foreign memory regions 8->90 92 Allocates memory in foreign processes 8->92 94 Adds a directory exclusion to Windows Defender 8->94 18 MSBuild.exe 2 3 8->18         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 schtasks.exe 1 8->26         started        96 Multi AV Scanner detection for dropped file 12->96 98 Machine Learning detection for dropped file 12->98 100 Injects a PE file into a foreign processes 12->100 28 MSBuild.exe 12->28         started        30 schtasks.exe 12->30         started        32 conhost.exe 14->32         started        34 conhost.exe 16->34         started        36 conhost.exe 16->36         started        signatures5 process6 file7 56 C:\ProgramData\Remcos\remcos.exe, PE32 18->56 dropped 76 Contains functionality to bypass UAC (CMSTPLUA) 18->76 78 Detected Remcos RAT 18->78 80 Contains functionalty to change the wallpaper 18->80 86 4 other signatures 18->86 38 remcos.exe 2 18->38         started        82 Loading BitLocker PowerShell Module 22->82 40 conhost.exe 22->40         started        42 WmiPrvSE.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        58 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 28->58 dropped 84 Creates autostart registry keys with suspicious names 28->84 48 remcos.exe 28->48         started        50 conhost.exe 30->50         started        signatures8 process9 process10 52 conhost.exe 38->52         started        54 conhost.exe 48->54         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RqYh.exe63%ReversingLabsWin32.Backdoor.Remcos
                RqYh.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\oJSnAkAh.exe100%Joe Sandbox ML
                C:\ProgramData\Remcos\remcos.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\Remcos\remcos.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\oJSnAkAh.exe63%ReversingLabsWin32.Backdoor.Remcos

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                http://go.microsoft.c0%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                rodri.selfip.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		unknown
                  fp2e7a.wpc.phicdn.net
                  		192.229.221.95
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    rodri.selfip.nettrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpMSBuild.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp/CRqYh.exe, 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, RqYh.exe, 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8RqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://go.microsoft.cremcos.exe, 00000012.00000002.1781846923.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRqYh.exe, 00000000.00000002.1698198829.0000000003321000.00000004.00000800.00020000.00000000.sdmp, oJSnAkAh.exe, 0000000B.00000002.1747970715.0000000003211000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comRqYh.exe, 00000000.00000002.1706254789.0000000007482000.00000004.00000800.00020000.00000000.sdmp, RqYh.exe, 00000000.00000002.1706001829.0000000005C64000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1501378
                    Start date and time:2024-08-29 20:31:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 53s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:28
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:RqYh.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@31/23@0/0
                    EGA Information:
                    • Successful, ratio: 37.5%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 258
                    • Number of non-executed functions: 220
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 40.127.169.103, 199.232.210.172, 192.229.221.95, 20.3.187.198, 52.165.164.15, 20.12.23.50
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                    • Execution Graph export aborted for target remcos.exe, PID 5040 because it is empty
                    • Execution Graph export aborted for target remcos.exe, PID 7436 because it is empty
                    • Execution Graph export aborted for target remcos.exe, PID 7852 because it is empty
                    • Execution Graph export aborted for target remcos.exe, PID 7888 because it is empty
                    • Execution Graph export aborted for target remcos.exe, PID 8036 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: RqYh.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:31:53API Interceptor1x Sleep call for process: RqYh.exe modified
                    14:31:56API Interceptor41x Sleep call for process: powershell.exe modified
                    14:31:59API Interceptor1x Sleep call for process: oJSnAkAh.exe modified
                    19:31:56Task SchedulerRun new task: oJSnAkAh path: C:\Users\user\AppData\Roaming\oJSnAkAh.exe
                    19:31:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50C "C:\ProgramData\Remcos\remcos.exe"
                    19:32:06AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50C "C:\ProgramData\Remcos\remcos.exe"
                    19:32:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-B6J50C "C:\Users\user\AppData\Roaming\Remcos\remcos.exe"

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    bg.microsoft.map.fastly.nethttp://my.manychat.com/Get hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    http://idtyvfyfmst.weebly.comGet hashmaliciousHTMLPhisherBrowse
                    • 199.232.210.172
                    Gxm6KI51wl.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                    • 199.232.214.172
                    http://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                    • 199.232.210.172
                    http://general72.s3-website.us-east-2.amazonaws.comGet hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015Get hashmaliciousHTMLPhisherBrowse
                    • 199.232.210.172
                    https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                    • 199.232.214.172
                    unitedserviceorganizationsstaff-5.8.9154-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                    • 199.232.214.172
                    https://mpcpallc.weebly.com/Get hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    fp2e7a.wpc.phicdn.netadbce.exeGet hashmaliciousAZORult, Quasar, RamnitBrowse
                    • 192.229.221.95
                    http://my.manychat.com/Get hashmaliciousUnknownBrowse
                    • 192.229.221.95
                    SecuriteInfo.com.Win64.MalwareX-gen.10229.1578.exeGet hashmaliciousUnknownBrowse
                    • 192.229.221.95
                    http://idtyvfyfmst.weebly.comGet hashmaliciousHTMLPhisherBrowse
                    • 192.229.221.95
                    http://getquckbulck.topGet hashmaliciousUnknownBrowse
                    • 192.229.221.95
                    http://passtcnet.homeunix.com/amj/2.mp4Get hashmaliciousUnknownBrowse
                    • 192.229.221.95
                    https://sgsconsulting.com/Get hashmaliciousUnknownBrowse
                    • 192.229.221.95
                    http://idtyvfyfmst.weebly.comGet hashmaliciousHTMLPhisherBrowse
                    • 192.229.221.95
                    http://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                    • 192.229.221.95
                    http://econltractors.comGet hashmaliciousHTMLPhisherBrowse
                    • 192.229.221.95

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Roaming\Remcos\remcos.exesetup.exeGet hashmaliciousXWormBrowse
                      cinxa7dbiq.exeGet hashmaliciousAgentTeslaBrowse
                        7va1lgSJFv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          SecuriteInfo.com.Trojan.Siggen18.41021.9404.23168.exeGet hashmaliciousSmokeLoaderBrowse
                            LisectAVT_2403002A_60.exeGet hashmaliciousAZORult, NetWireBrowse
                              LisectAVT_2403002A_348.exeGet hashmaliciousNjratBrowse
                                af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exeGet hashmaliciousNanocore, RemcosBrowse
                                  Db1Z06qMmP6G0Dk.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    tQNFmu1E8CU72k9.exeGet hashmaliciousAgentTeslaBrowse
                                      Leaked.exeGet hashmaliciousXWormBrowse
                                        C:\ProgramData\Remcos\remcos.exesetup.exeGet hashmaliciousXWormBrowse
                                          cinxa7dbiq.exeGet hashmaliciousAgentTeslaBrowse
                                            7va1lgSJFv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              SecuriteInfo.com.Trojan.Siggen18.41021.9404.23168.exeGet hashmaliciousSmokeLoaderBrowse
                                                LisectAVT_2403002A_60.exeGet hashmaliciousAZORult, NetWireBrowse
                                                  LisectAVT_2403002A_348.exeGet hashmaliciousNjratBrowse
                                                    af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exeGet hashmaliciousNanocore, RemcosBrowse
                                                      Db1Z06qMmP6G0Dk.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        tQNFmu1E8CU72k9.exeGet hashmaliciousAgentTeslaBrowse
                                                          Leaked.exeGet hashmaliciousXWormBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\Remcos\remcos.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):262432
                                                            Entropy (8bit):6.179415524830389
                                                            Encrypted:false
                                                            SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                            MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                            SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                            SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            • Filename: cinxa7dbiq.exe, Detection: malicious, Browse
                                                            • Filename: 7va1lgSJFv.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Trojan.Siggen18.41021.9404.23168.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002A_60.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002A_348.exe, Detection: malicious, Browse
                                                            • Filename: af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe, Detection: malicious, Browse
                                                            • Filename: Db1Z06qMmP6G0Dk.exe, Detection: malicious, Browse
                                                            • Filename: tQNFmu1E8CU72k9.exe, Detection: malicious, Browse
                                                            • Filename: Leaked.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RqYh.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RqYh.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oJSnAkAh.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\oJSnAkAh.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

                                                            Download File
                                                            Process:C:\ProgramData\Remcos\remcos.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):841
                                                            Entropy (8bit):5.351831766340675
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoIvEE4xDqE4j:MxHKlYHKh3oPtHo6wvEHxDqHj
                                                            MD5:98DCC730A3C77DCDCA7CD8717EB5D42A
                                                            SHA1:639509210C17EB73F5DB581FA8CA46B1157D8806
                                                            SHA-256:E3C80885BCC7FE4F349EFB0470D261E0DE273EE26D47AF09C79F1B4B2F891E49
                                                            SHA-512:7D11C53167839D428DAE35BF759C73FC0C7C49F2DE35CC99E4F8B69CDD40DFBEEF6D355F15FAB1EED62A64AF94E7BA311C0F8E07C3DA6F3A63410CC3E9882B78
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.3797706053345555
                                                            Encrypted:false
                                                            SSDEEP:48:fWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugei/ZPUyus:fLHxv2IfLZ2KRH6Ougss
                                                            MD5:F3304632AE63F0018D885665CC27DB78
                                                            SHA1:E6F581EF2B0C057290349FAED29642D24602DDC1
                                                            SHA-256:81536A134CDAD5C1C501EEB0E5A78A0079865BB2B38ABEF01B13D0972F59FEFF
                                                            SHA-512:93B57A12C45DCE5E2355C9C7C32498290ABB2F125509F80332C20398ECCAD04CE5DCF24E2385A92547EC02722F75A667E8ECBAF942FE08BFAED18DA4BFFA99C0
                                                            Malicious:false
                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emxqh424.uri.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgw3qlex.q24.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4wdaghu.jfz.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5ms1lao.ow3.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ku2od1u1.3xp.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbxoog1k.h0o.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uagmzbfa.igw.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulrbyhwc.m1d.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RqYh.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1574
                                                            Entropy (8bit):5.106678316793118
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTdv
                                                            MD5:C4E5D4C0F622F3ABBF5C912FF0B3FD96
                                                            SHA1:6463DEDD9EED95CCDA8BCA106BA2E2FBF12AD58B
                                                            SHA-256:A5551180AA3275A8C570A1214EBD04E7D14DDC75631853DD9F7F1AAC3DCE5F10
                                                            SHA-512:1B4EDFFB4C2ED1BDC1DF55076972786DAF85CE1614FF7E64D246FDC1F32289ED3DA868465B96E3CF3FCC5D27947DF6383F3CB89395B20E5F99F27EA3C4C1723B
                                                            Malicious:true
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                            C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\oJSnAkAh.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1574
                                                            Entropy (8bit):5.106678316793118
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTdv
                                                            MD5:C4E5D4C0F622F3ABBF5C912FF0B3FD96
                                                            SHA1:6463DEDD9EED95CCDA8BCA106BA2E2FBF12AD58B
                                                            SHA-256:A5551180AA3275A8C570A1214EBD04E7D14DDC75631853DD9F7F1AAC3DCE5F10
                                                            SHA-512:1B4EDFFB4C2ED1BDC1DF55076972786DAF85CE1614FF7E64D246FDC1F32289ED3DA868465B96E3CF3FCC5D27947DF6383F3CB89395B20E5F99F27EA3C4C1723B
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                            C:\Users\user\AppData\Roaming\Remcos\remcos.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):262432
                                                            Entropy (8bit):6.179415524830389
                                                            Encrypted:false
                                                            SSDEEP:3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
                                                            MD5:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            SHA1:E6256A0159688F0560B015DA4D967F41CBF8C9BD
                                                            SHA-256:ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
                                                            SHA-512:BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            • Filename: cinxa7dbiq.exe, Detection: malicious, Browse
                                                            • Filename: 7va1lgSJFv.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Trojan.Siggen18.41021.9404.23168.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002A_60.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002A_348.exe, Detection: malicious, Browse
                                                            • Filename: af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exe, Detection: malicious, Browse
                                                            • Filename: Db1Z06qMmP6G0Dk.exe, Detection: malicious, Browse
                                                            • Filename: tQNFmu1E8CU72k9.exe, Detection: malicious, Browse
                                                            • Filename: Leaked.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................|..........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....

                                                            C:\Users\user\AppData\Roaming\oJSnAkAh.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RqYh.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):993280
                                                            Entropy (8bit):7.829919893800668
                                                            Encrypted:false
                                                            SSDEEP:24576:BYx8QzPlMGKwlyvxR27CYOlOLkgggD8lyftUCp2mv:6x8QzZYvxR2WbRggp0XT
                                                            MD5:4B487F91D2504883B4C9DF18848AF5EF
                                                            SHA1:964E913B8B4CBA2232E46B3FE0B73B1C009BED7D
                                                            SHA-256:F34FD6A0B6536F074E3A1BC41F0E35A80667688DE9668CD1D75F6920A06E7607
                                                            SHA-512:2F38DFA36BFF6235DCDDB359AF65E3374F556E40FD950C6E5E9B52A474D46227D833FD9897EFC925B781F6B97B093B29DC9D119EDC88D76A23D3407A1471E23B
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 63%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.................0.............:6... ...@....@.. ....................................@..................................5..O....@.......................`..........p............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................6......H...........4Q......`........E............................................{....*"..}....*~.(.......s....}.....s....}....*>..{.....o.....*>..{.....o.....*....0............{.....+..*.0............{.....+..*j..{....o......{....o.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...0...........(.........%.(......(.....*..0..............%.(......(.....*.0............s.......o....o.......o....o.......o.....+O.o.......u.........,$..(..........X(.......u....(......+...(........

                                                            C:\Users\user\AppData\Roaming\oJSnAkAh.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RqYh.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            \Device\ConDrv

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):298
                                                            Entropy (8bit):4.924206445966445
                                                            Encrypted:false
                                                            SSDEEP:6:zx3M1tFAbQtASR30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13P30ZMt9BFN+QdCT2UftCM+
                                                            MD5:932782CF70ED00D22C0B08B5027B4E31
                                                            SHA1:78F460A2155D9E819B8452C281285D7E0A7AC14F
                                                            SHA-256:F2C2477FB3FD0A30F3D3D8637EF9C774B43E940043635DF90CDD804799A2ECE7
                                                            SHA-512:C83E72797C03CABCAB066B95BAEEBB13944143846794061CF9482EA3B283979E470930047FDAE72A6F06F51F3127FF39DAAEFAAD7557E3AD49F590B9E7B78D24
                                                            Malicious:false
                                                            Preview:Microsoft (R) Build Engine version 4.8.4084.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.829919893800668
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:RqYh.exe
                                                            File size:993'280 bytes
                                                            MD5:4b487f91d2504883b4c9df18848af5ef
                                                            SHA1:964e913b8b4cba2232e46b3fe0b73b1c009bed7d
                                                            SHA256:f34fd6a0b6536f074e3a1bc41f0e35a80667688de9668cd1d75f6920a06e7607
                                                            SHA512:2f38dfa36bff6235dcddb359af65e3374f556e40fd950c6e5e9b52a474d46227d833fd9897efc925b781f6b97b093b29dc9d119edc88d76a23d3407a1471e23b
                                                            SSDEEP:24576:BYx8QzPlMGKwlyvxR27CYOlOLkgggD8lyftUCp2mv:6x8QzZYvxR2WbRggp0XT
                                                            TLSH:3A2502902516D60AD96493FD09B1F3B513BD2EDCE802D26A5FEEBCEBB636B454D00093
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.................0.............:6... ...@....@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:89d95a5676565211

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4f363a
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x8EFCCA35 [Sun Jan 7 09:51:49 2046 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf35e70x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000xb9c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xf16800x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xf16400xf1800b04e261236c503315fe05a3e6a81cb3cFalse0.9212391223473085data7.8367429863866045IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xf40000xb9c0xc00992fbd2824ee161c2c599511f7a3b72eFalse0.4781901041666667data5.248404550976795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xf60000xc0x2007bc6d2afba04de2c9e696cd29c3b16b0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xf41300x550Device independent bitmap graphic, 32 x 20 x 32, image size 12800.524264705882353
                                                            RT_GROUP_ICON0xf46800x14data1.05
                                                            RT_VERSION0xf46940x31cdata0.4334170854271357
                                                            RT_MANIFEST0xf49b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Aug 29, 2024 20:31:49.610702991 CEST49675443192.168.2.4173.222.162.32
                                                            Aug 29, 2024 20:31:59.252422094 CEST49675443192.168.2.4173.222.162.32
                                                            Aug 29, 2024 20:32:17.839854002 CEST804972387.248.205.0192.168.2.4
                                                            Aug 29, 2024 20:32:17.839988947 CEST4972380192.168.2.487.248.205.0
                                                            Aug 29, 2024 20:32:17.839988947 CEST4972380192.168.2.487.248.205.0
                                                            Aug 29, 2024 20:32:17.844820023 CEST804972387.248.205.0192.168.2.4
                                                            Aug 29, 2024 20:33:07.001979113 CEST4972480192.168.2.4199.232.214.172
                                                            Aug 29, 2024 20:33:07.008158922 CEST8049724199.232.214.172192.168.2.4
                                                            Aug 29, 2024 20:33:07.008228064 CEST4972480192.168.2.4199.232.214.172

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Aug 29, 2024 20:32:12.193362951 CEST1.1.1.1192.168.2.40x7b92No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Aug 29, 2024 20:32:12.193362951 CEST1.1.1.1192.168.2.40x7b92No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Aug 29, 2024 20:32:12.722889900 CEST1.1.1.1192.168.2.40x940dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Aug 29, 2024 20:32:12.722889900 CEST1.1.1.1192.168.2.40x940dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                            Aug 29, 2024 20:32:25.713749886 CEST1.1.1.1192.168.2.40x110eNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Aug 29, 2024 20:32:25.713749886 CEST1.1.1.1192.168.2.40x110eNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:14:31:52
                                                            Start date:29/08/2024
                                                            Path:C:\Users\user\Desktop\RqYh.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\RqYh.exe"
                                                            Imagebase:0xee0000
                                                            File size:993'280 bytes
                                                            MD5 hash:4B487F91D2504883B4C9DF18848AF5EF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1701186570.0000000004E45000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1701186570.000000000446C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RqYh.exe"
                                                            Imagebase:0x7b0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oJSnAkAh.exe"
                                                            Imagebase:0x7b0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpA5C1.tmp"
                                                            Imagebase:0x2d0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:14:31:55
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                            Imagebase:0x6a0000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:14:31:56
                                                            Start date:29/08/2024
                                                            Path:C:\ProgramData\Remcos\remcos.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                            Imagebase:0x890000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:14:31:56
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:14:31:57
                                                            Start date:29/08/2024
                                                            Path:C:\Users\user\AppData\Roaming\oJSnAkAh.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\oJSnAkAh.exe
                                                            Imagebase:0xd50000
                                                            File size:993'280 bytes
                                                            MD5 hash:4B487F91D2504883B4C9DF18848AF5EF
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 63%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:14:31:58
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff693ab0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:14:32:01
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJSnAkAh" /XML "C:\Users\user\AppData\Local\Temp\tmpB8EC.tmp"
                                                            Imagebase:0x2d0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:14:32:01
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:14:32:01
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                            Imagebase:0x7a0000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:14:32:01
                                                            Start date:29/08/2024
                                                            Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                                                            Imagebase:0x360000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:14:32:02
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:14:32:06
                                                            Start date:29/08/2024
                                                            Path:C:\ProgramData\Remcos\remcos.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                            Imagebase:0x8f0000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:14:32:06
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:14:32:14
                                                            Start date:29/08/2024
                                                            Path:C:\ProgramData\Remcos\remcos.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\ProgramData\Remcos\remcos.exe"
                                                            Imagebase:0xec0000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:14:32:14
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:14:32:22
                                                            Start date:29/08/2024
                                                            Path:C:\Users\user\AppData\Roaming\Remcos\remcos.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\Remcos\remcos.exe"
                                                            Imagebase:0xdd0000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:14:32:22
                                                            Start date:29/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:11.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:280
                                                              Total number of Limit Nodes:19
                                                              execution_graph 62231 7d84348 62232 7d842d8 62231->62232 62233 7d84357 62231->62233 62235 1615d04 3 API calls 62232->62235 62237 16182f7 62232->62237 62234 7d8431a 62235->62234 62238 1618318 62237->62238 62240 16185cb 62238->62240 62241 161ac78 3 API calls 62238->62241 62239 1618609 62239->62234 62240->62239 62242 161cd60 3 API calls 62240->62242 62241->62240 62242->62239 62461 7d87c98 62462 7d87ce6 DrawTextExW 62461->62462 62464 7d87d3e 62462->62464 62465 7d88c88 62466 7d88cbf 62465->62466 62468 1615d04 3 API calls 62466->62468 62469 16182f7 3 API calls 62466->62469 62467 7d88dbf 62468->62467 62469->62467 62451 161d440 62452 161d486 GetCurrentProcess 62451->62452 62454 161d4d1 62452->62454 62455 161d4d8 GetCurrentThread 62452->62455 62454->62455 62456 161d515 GetCurrentProcess 62455->62456 62457 161d50e 62455->62457 62458 161d54b 62456->62458 62457->62456 62459 161d573 GetCurrentThreadId 62458->62459 62460 161d5a4 62459->62460 62243 7b042a3 62248 7b06dc8 62243->62248 62267 7b06e2e 62243->62267 62287 7b06dba 62243->62287 62244 7b042a9 62249 7b06de2 62248->62249 62260 7b06dea 62249->62260 62306 7b07410 62249->62306 62311 7b072ce 62249->62311 62316 7b0736e 62249->62316 62321 7b0798a 62249->62321 62326 7b078c6 62249->62326 62330 7b075c4 62249->62330 62334 7b074a3 62249->62334 62339 7b072a1 62249->62339 62344 7b07a80 62249->62344 62348 7b0779f 62249->62348 62353 7b0799e 62249->62353 62357 7b0737a 62249->62357 62362 7b072f9 62249->62362 62367 7b074b5 62249->62367 62371 7b07231 62249->62371 62376 7b07630 62249->62376 62260->62244 62268 7b06dbc 62267->62268 62269 7b06e31 62267->62269 62270 7b07410 2 API calls 62268->62270 62271 7b07630 2 API calls 62268->62271 62272 7b07231 2 API calls 62268->62272 62273 7b074b5 ReadProcessMemory 62268->62273 62274 7b072f9 2 API calls 62268->62274 62275 7b0737a 2 API calls 62268->62275 62276 7b0799e 2 API calls 62268->62276 62277 7b0779f 2 API calls 62268->62277 62278 7b07a80 2 API calls 62268->62278 62279 7b072a1 2 API calls 62268->62279 62280 7b074a3 2 API calls 62268->62280 62281 7b075c4 2 API calls 62268->62281 62282 7b078c6 2 API calls 62268->62282 62283 7b0798a 2 API calls 62268->62283 62284 7b06dea 62268->62284 62285 7b0736e 2 API calls 62268->62285 62286 7b072ce 2 API calls 62268->62286 62269->62244 62270->62284 62271->62284 62272->62284 62273->62284 62274->62284 62275->62284 62276->62284 62277->62284 62278->62284 62279->62284 62280->62284 62281->62284 62282->62284 62283->62284 62284->62244 62285->62284 62286->62284 62288 7b06dbc 62287->62288 62289 7b07410 2 API calls 62288->62289 62290 7b07630 2 API calls 62288->62290 62291 7b07231 2 API calls 62288->62291 62292 7b074b5 ReadProcessMemory 62288->62292 62293 7b072f9 2 API calls 62288->62293 62294 7b0737a 2 API calls 62288->62294 62295 7b0799e 2 API calls 62288->62295 62296 7b0779f 2 API calls 62288->62296 62297 7b07a80 2 API calls 62288->62297 62298 7b072a1 2 API calls 62288->62298 62299 7b06dea 62288->62299 62300 7b074a3 2 API calls 62288->62300 62301 7b075c4 2 API calls 62288->62301 62302 7b078c6 2 API calls 62288->62302 62303 7b0798a 2 API calls 62288->62303 62304 7b0736e 2 API calls 62288->62304 62305 7b072ce 2 API calls 62288->62305 62289->62299 62290->62299 62291->62299 62292->62299 62293->62299 62294->62299 62295->62299 62296->62299 62297->62299 62298->62299 62299->62244 62300->62299 62301->62299 62302->62299 62303->62299 62304->62299 62305->62299 62307 7b07427 62306->62307 62380 7b03be0 62307->62380 62384 7b03bd9 62307->62384 62308 7b07b5b 62312 7b07235 62311->62312 62388 7b03e68 62312->62388 62392 7b03e5c 62312->62392 62317 7b07322 62316->62317 62318 7b07336 62316->62318 62319 7b03e68 CreateProcessA 62317->62319 62320 7b03e5c CreateProcessA 62317->62320 62318->62260 62319->62318 62320->62318 62322 7b073a3 62321->62322 62323 7b073b8 62321->62323 62396 7b03560 62322->62396 62400 7b03558 62322->62400 62323->62260 62404 7b03b20 62326->62404 62408 7b03b19 62326->62408 62327 7b078e4 62413 7b03610 62330->62413 62417 7b03608 62330->62417 62331 7b075de 62331->62260 62335 7b076d0 62334->62335 62337 7b03be0 WriteProcessMemory 62335->62337 62338 7b03bd9 WriteProcessMemory 62335->62338 62336 7b07214 62336->62260 62337->62336 62338->62336 62340 7b07235 62339->62340 62342 7b03e68 CreateProcessA 62340->62342 62343 7b03e5c CreateProcessA 62340->62343 62341 7b07336 62341->62260 62342->62341 62343->62341 62345 7b0799d 62344->62345 62345->62344 62346 7b03610 Wow64SetThreadContext 62345->62346 62347 7b03608 Wow64SetThreadContext 62345->62347 62346->62345 62347->62345 62349 7b076d0 62348->62349 62351 7b03be0 WriteProcessMemory 62349->62351 62352 7b03bd9 WriteProcessMemory 62349->62352 62350 7b07214 62350->62260 62351->62350 62352->62350 62355 7b03610 Wow64SetThreadContext 62353->62355 62356 7b03608 Wow64SetThreadContext 62353->62356 62354 7b0799d 62354->62353 62355->62354 62356->62354 62358 7b073a3 62357->62358 62360 7b03560 ResumeThread 62358->62360 62361 7b03558 ResumeThread 62358->62361 62359 7b073b8 62359->62260 62360->62359 62361->62359 62363 7b07322 62362->62363 62365 7b03e68 CreateProcessA 62363->62365 62366 7b03e5c CreateProcessA 62363->62366 62364 7b07336 62364->62260 62365->62364 62366->62364 62368 7b07a92 62367->62368 62369 7b07524 62368->62369 62421 7b03cd0 62368->62421 62369->62260 62372 7b07235 62371->62372 62374 7b03e68 CreateProcessA 62372->62374 62375 7b03e5c CreateProcessA 62372->62375 62373 7b07336 62373->62260 62374->62373 62375->62373 62378 7b03be0 WriteProcessMemory 62376->62378 62379 7b03bd9 WriteProcessMemory 62376->62379 62377 7b0765e 62377->62260 62378->62377 62379->62377 62381 7b03c28 WriteProcessMemory 62380->62381 62383 7b03c7f 62381->62383 62383->62308 62385 7b03be0 WriteProcessMemory 62384->62385 62387 7b03c7f 62385->62387 62387->62308 62389 7b03ef1 CreateProcessA 62388->62389 62391 7b040b3 62389->62391 62391->62391 62393 7b03e68 CreateProcessA 62392->62393 62395 7b040b3 62393->62395 62395->62395 62397 7b035a0 ResumeThread 62396->62397 62399 7b035d1 62397->62399 62399->62323 62401 7b0355d ResumeThread 62400->62401 62403 7b035d1 62401->62403 62403->62323 62405 7b03b60 VirtualAllocEx 62404->62405 62407 7b03b9d 62405->62407 62407->62327 62409 7b03b1e VirtualAllocEx 62408->62409 62411 7b03a8c 62408->62411 62412 7b03b9d 62409->62412 62411->62327 62412->62327 62414 7b03655 Wow64SetThreadContext 62413->62414 62416 7b0369d 62414->62416 62416->62331 62418 7b03655 Wow64SetThreadContext 62417->62418 62420 7b0369d 62418->62420 62420->62331 62422 7b03d1b ReadProcessMemory 62421->62422 62424 7b03d5d 62422->62424 62424->62368 62117 7b07fb8 62118 7b08143 62117->62118 62120 7b07fde 62117->62120 62120->62118 62121 7b02510 62120->62121 62122 7b08640 PostMessageW 62121->62122 62123 7b086ac 62122->62123 62123->62120 62425 7d88340 62427 1615d04 3 API calls 62425->62427 62428 16182f7 3 API calls 62425->62428 62426 7d88353 62427->62426 62428->62426 62124 1614668 62125 161467a 62124->62125 62126 1614686 62125->62126 62130 1614778 62125->62130 62135 1613e0c 62126->62135 62128 16146a5 62131 161479d 62130->62131 62139 1614879 62131->62139 62143 1614888 62131->62143 62136 1613e17 62135->62136 62151 1615c84 62136->62151 62138 1617048 62138->62128 62141 16148af 62139->62141 62140 161498c 62140->62140 62141->62140 62147 1614514 62141->62147 62145 16148af 62143->62145 62144 161498c 62144->62144 62145->62144 62146 1614514 CreateActCtxA 62145->62146 62146->62144 62148 1615918 CreateActCtxA 62147->62148 62150 16159db 62148->62150 62152 1615c8f 62151->62152 62155 1615ca4 62152->62155 62154 16170ed 62154->62138 62156 1615caf 62155->62156 62159 1615cd4 62156->62159 62158 16171c2 62158->62154 62160 1615cdf 62159->62160 62163 1615d04 62160->62163 62162 16172c5 62162->62158 62164 1615d0f 62163->62164 62166 16185cb 62164->62166 62169 161ac78 62164->62169 62165 1618609 62165->62162 62166->62165 62173 161cd60 62166->62173 62178 161acb0 62169->62178 62182 161ac9f 62169->62182 62170 161ac8e 62170->62166 62174 161cd91 62173->62174 62175 161cdb5 62174->62175 62215 161d319 62174->62215 62219 161d328 62174->62219 62175->62165 62187 161ad99 62178->62187 62195 161ada8 62178->62195 62179 161acbf 62179->62170 62183 161acb0 62182->62183 62185 161ad99 2 API calls 62183->62185 62186 161ada8 2 API calls 62183->62186 62184 161acbf 62184->62170 62185->62184 62186->62184 62188 161adb9 62187->62188 62189 161addc 62187->62189 62188->62189 62203 161b031 62188->62203 62207 161b040 62188->62207 62189->62179 62190 161add4 62190->62189 62191 161afe0 GetModuleHandleW 62190->62191 62192 161b00d 62191->62192 62192->62179 62196 161adb9 62195->62196 62197 161addc 62195->62197 62196->62197 62201 161b031 LoadLibraryExW 62196->62201 62202 161b040 LoadLibraryExW 62196->62202 62197->62179 62198 161add4 62198->62197 62199 161afe0 GetModuleHandleW 62198->62199 62200 161b00d 62199->62200 62200->62179 62201->62198 62202->62198 62204 161b054 62203->62204 62205 161b079 62204->62205 62211 161a188 62204->62211 62205->62190 62208 161b054 62207->62208 62209 161a188 LoadLibraryExW 62208->62209 62210 161b079 62208->62210 62209->62210 62210->62190 62212 161b620 LoadLibraryExW 62211->62212 62214 161b699 62212->62214 62214->62205 62216 161d335 62215->62216 62218 161d36f 62216->62218 62223 161cf14 62216->62223 62218->62175 62221 161d335 62219->62221 62220 161d36f 62220->62175 62221->62220 62222 161cf14 3 API calls 62221->62222 62222->62220 62224 161cf1f 62223->62224 62226 161dc80 62224->62226 62227 161d03c 62224->62227 62226->62226 62228 161d047 62227->62228 62229 1615d04 3 API calls 62228->62229 62230 161dcef 62229->62230 62230->62226 62429 7d8c541 62430 7d8c556 62429->62430 62433 7d8c557 62429->62433 62440 7d8c568 62429->62440 62434 7d8c58c 62433->62434 62435 7d8c593 62433->62435 62434->62430 62439 7d8c5ba 62435->62439 62447 7d8ad4c 62435->62447 62438 7d8ad4c GetCurrentThreadId 62438->62439 62439->62430 62441 7d8c58c 62440->62441 62442 7d8c593 62440->62442 62441->62430 62443 7d8ad4c GetCurrentThreadId 62442->62443 62446 7d8c5ba 62442->62446 62444 7d8c5b0 62443->62444 62445 7d8ad4c GetCurrentThreadId 62444->62445 62445->62446 62446->62430 62448 7d8ad57 62447->62448 62449 7d8c8cf GetCurrentThreadId 62448->62449 62450 7d8c5b0 62448->62450 62449->62450 62450->62438 62470 161d688 DuplicateHandle 62471 161d71e 62470->62471

                                                              Executed Functions

                                                              Function 091D3204 Relevance: .9, Instructions: 931COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1708551494.00000000091D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_91d0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bd63fe663d4b9bd9ba8f6594e985b65f99d54c5955f3afeb329e311bb9b0dff
                                                              • Instruction ID: 016f82daee0e9eae81d913626bf7ddb7856c9cd15108be7563043493dd78977a
                                                              • Opcode Fuzzy Hash: 8bd63fe663d4b9bd9ba8f6594e985b65f99d54c5955f3afeb329e311bb9b0dff
                                                              • Instruction Fuzzy Hash: 80A21831E002598FDB15DF68CC946EDB7B2FF89304F1482A9D80AA7255EB74AE85CF50
                                                              Function 07D8AE2C Relevance: .7, Instructions: 716COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707822502.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7d80000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b578992e648475f3b9c89444e7371de749c1763c4f3f9d0e63a7862db7ffa920
                                                              • Instruction ID: 5bc97c1bb30afbf77152989d03d483d88c6507057cdc308a970311e8eb3f0f2c
                                                              • Opcode Fuzzy Hash: b578992e648475f3b9c89444e7371de749c1763c4f3f9d0e63a7862db7ffa920
                                                              • Instruction Fuzzy Hash: FD723770A1021ACFCB15EB24C990BE8B7B2FF99304F1546EAD4496B251EB71ADC5CF90
                                                              Function 07B0756D Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5c8c21ebd98a6357b783f85642adc1fb3856e587b3766aa5bce1636f1ba41a2
                                                              • Instruction ID: 4e868fd6be033cac7a124917edef62fdaceffabd24fe3f13148b30ea9ac522f1
                                                              • Opcode Fuzzy Hash: a5c8c21ebd98a6357b783f85642adc1fb3856e587b3766aa5bce1636f1ba41a2
                                                              • Instruction Fuzzy Hash:
                                                              Function 0161D440 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 456 161d440-161d4cf GetCurrentProcess 460 161d4d1-161d4d7 456->460 461 161d4d8-161d50c GetCurrentThread 456->461 460->461 462 161d515-161d549 GetCurrentProcess 461->462 463 161d50e-161d514 461->463 464 161d552-161d56d call 161d60f 462->464 465 161d54b-161d551 462->465 463->462 469 161d573-161d5a2 GetCurrentThreadId 464->469 465->464 470 161d5a4-161d5aa 469->470 471 161d5ab-161d60d 469->471 470->471
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0161D4BE
                                                              • GetCurrentThread.KERNEL32 ref: 0161D4FB
                                                              • GetCurrentProcess.KERNEL32 ref: 0161D538
                                                              • GetCurrentThreadId.KERNEL32 ref: 0161D591
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: d2c1dcb77e50085fb08c5f948575811c1a2f30503ffa1dcb48b69fde8b7ec977
                                                              • Instruction ID: fac224938194c4544c0073ffee3c4066f16bbd6bed285e9d9380be412d143094
                                                              • Opcode Fuzzy Hash: d2c1dcb77e50085fb08c5f948575811c1a2f30503ffa1dcb48b69fde8b7ec977
                                                              • Instruction Fuzzy Hash: AE5157B09002098FDB54DFA9D948BAEBBF5FF88318F24C419E509A7360D734A984CB65
                                                              Function 0161D430 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 434 161d430-161d4cf GetCurrentProcess 438 161d4d1-161d4d7 434->438 439 161d4d8-161d50c GetCurrentThread 434->439 438->439 440 161d515-161d549 GetCurrentProcess 439->440 441 161d50e-161d514 439->441 442 161d552-161d56d call 161d60f 440->442 443 161d54b-161d551 440->443 441->440 447 161d573-161d5a2 GetCurrentThreadId 442->447 443->442 448 161d5a4-161d5aa 447->448 449 161d5ab-161d60d 447->449 448->449
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0161D4BE
                                                              • GetCurrentThread.KERNEL32 ref: 0161D4FB
                                                              • GetCurrentProcess.KERNEL32 ref: 0161D538
                                                              • GetCurrentThreadId.KERNEL32 ref: 0161D591
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 3677563112d89700db6a62d496a6470cef19388b7a55f4eefd43164642c11db4
                                                              • Instruction ID: dbf52568abff5421ce0a1b5083912589fce2ddb9e2e703d1ca6fb1ad53aec1b6
                                                              • Opcode Fuzzy Hash: 3677563112d89700db6a62d496a6470cef19388b7a55f4eefd43164642c11db4
                                                              • Instruction Fuzzy Hash: E75146B09003498FDB54CFA9D948B9EBFF1EF48318F24846AD119AB360D734A984CB65
                                                              Function 058B94A0 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 704 58b94a0-58b9502 call 58b8838 710 58b9568-58b9594 704->710 711 58b9504-58b9506 704->711 712 58b959b-58b95a3 710->712 711->712 713 58b950c-58b9518 711->713 717 58b95aa-58b96e5 712->717 713->717 718 58b951e-58b9559 call 58b8844 713->718 737 58b96eb-58b96f9 717->737 729 58b955e-58b9567 718->729 738 58b96fb-58b9701 737->738 739 58b9702-58b9748 737->739 738->739 744 58b974a-58b974d 739->744 745 58b9755 739->745 744->745 746 58b9756 745->746 746->746
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Hjq$Hjq
                                                              • API String ID: 0-2395847853
                                                              • Opcode ID: 869239c26c00d470715fb8cae699233c68e5bcec1779fabbfbb9b4300b270142
                                                              • Instruction ID: 84940926488851b646615314f54cfebe99997bdc3941232aade93ae3b5b7fe98
                                                              • Opcode Fuzzy Hash: 869239c26c00d470715fb8cae699233c68e5bcec1779fabbfbb9b4300b270142
                                                              • Instruction Fuzzy Hash: 9A814971E002199FDB08DFA9C8946EEBBF6FF89300F14852AE909EB354DB745905CB91
                                                              Function 058B1230 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (jq$Hjq
                                                              • API String ID: 0-2151573235
                                                              • Opcode ID: bb7fe994c2b887494d128255f618da5607d164f775739171d3bc8c39429d5d9d
                                                              • Instruction ID: d44beef013fec93f3aa6b00e8ef4d13620c5c3caaa92cfc6fb05a3b1024e7ea9
                                                              • Opcode Fuzzy Hash: bb7fe994c2b887494d128255f618da5607d164f775739171d3bc8c39429d5d9d
                                                              • Instruction Fuzzy Hash: BD718F31B006058FCB49EF7CC8945AA77B6FFC9310B558669D909AB365EF30AC45CB81
                                                              Function 058B2AEC Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 956 58b2aec-58b4b71 981 58b4b74 call 58b5708 956->981 982 58b4b74 call 58b5718 956->982 963 58b4b7a-58b4b93 967 58b4bf5-58b4cda call 58b2b1c call 58b1968 call 58b2b2c 963->967 968 58b4b95-58b4bed 963->968 968->967 981->963 982->963
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: 0f82cd6d65568ac9d25e6824bbd8a6fd06219001139e164707dfe3dc5d8124da
                                                              • Instruction ID: fc7e69e4d7f2dd172a3b6d7a8f16198d1301f616ac11502922bb4abf3e341a3a
                                                              • Opcode Fuzzy Hash: 0f82cd6d65568ac9d25e6824bbd8a6fd06219001139e164707dfe3dc5d8124da
                                                              • Instruction Fuzzy Hash: E871AF31910701CFEB10EF28DD86555B7F2FF85314B4196A8D949AB32AEB71F994CB80
                                                              Function 058B4A60 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 983 58b4a60-58b4b71 1007 58b4b74 call 58b5708 983->1007 1008 58b4b74 call 58b5718 983->1008 989 58b4b7a-58b4b93 993 58b4bf5-58b4c68 call 58b2b1c 989->993 994 58b4b95-58b4bed 989->994 997 58b4c6d-58b4cda call 58b1968 call 58b2b2c 993->997 994->993 1007->989 1008->989
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: 12933b83e7ec2393f4d889d1aa91692937e22be85fe29e69e99a19f1e178d2c6
                                                              • Instruction ID: 136ae7fae6496a55ec334bc6faaea4904006e310346cbf78d0c40baacdff2041
                                                              • Opcode Fuzzy Hash: 12933b83e7ec2393f4d889d1aa91692937e22be85fe29e69e99a19f1e178d2c6
                                                              • Instruction Fuzzy Hash: 7571AF31910701CFEB10EF28DD86655B7F1FF85304F4196A8D949AB32AEB71EA94CB80
                                                              Function 07B03E5C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B0409E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 896f47f3e3ddb459ea95698971be31a24267868e3ed6d64f8d91cdea5299411f
                                                              • Instruction ID: 313b5a1919bd7a82e744694c52af7f5fa545669963e491d35262ae63e84a19a2
                                                              • Opcode Fuzzy Hash: 896f47f3e3ddb459ea95698971be31a24267868e3ed6d64f8d91cdea5299411f
                                                              • Instruction Fuzzy Hash: 66A14AB1D0025ADFEF24DF68C8457EDBBF2FB49310F1481A9E818A7280DB7499858F91
                                                              Function 07B03E68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B0409E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 168955119b5f5fa5477bf44bc6eef7631be80a9776d2793e0391b1ff746bc75c
                                                              • Instruction ID: ed58c2df4a91cf93dd933f9e3424053c8b6dc85f7ef0d16408e10020a3044b83
                                                              • Opcode Fuzzy Hash: 168955119b5f5fa5477bf44bc6eef7631be80a9776d2793e0391b1ff746bc75c
                                                              • Instruction Fuzzy Hash: 28914AB1D0025ADFEF24DF68C8457ADBBB2FB49310F1481A9E818A7290DB749985CF91
                                                              Function 0161ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0161AFFE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: cd093ef1a14b2602324aa544956ab539984cd16fd281cd24607dcb9f868ccb29
                                                              • Instruction ID: 9772477318edb9b1b9bd135ef332ac41a24e43d8b54c2a9b1a00e179ff9d8ef8
                                                              • Opcode Fuzzy Hash: cd093ef1a14b2602324aa544956ab539984cd16fd281cd24607dcb9f868ccb29
                                                              • Instruction Fuzzy Hash: 167143B0A01B458FDB24DF6AC84079ABBF1BF88204F048A2DD14AD7B44DB35E845CB91
                                                              Function 07B03B19 Relevance: 1.6, APIs: 1, Instructions: 110memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B03B8E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 12ad7bd11e4886d98232254d28b0e287d68e9628a79e91fddb3e94471a18f4b4
                                                              • Instruction ID: 5c4f88cc3d60df5ea957e751c2f6c43799e27b82986764a825bc6600768d7d9c
                                                              • Opcode Fuzzy Hash: 12ad7bd11e4886d98232254d28b0e287d68e9628a79e91fddb3e94471a18f4b4
                                                              • Instruction Fuzzy Hash: FA416CB5D002498FDB10CFA9D885ADEBFF0FF48324F10809AE555AB250CB319940DF90
                                                              Function 0161590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 016159C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 00d6f17ec9de7fe3505a8b25ca2b276308c6ceb12b3eb266f7335468a812b1bb
                                                              • Instruction ID: 9ed4fac1fbdaf21ae9f91bede176bd5e7098ea606523e7e727dd872578f84488
                                                              • Opcode Fuzzy Hash: 00d6f17ec9de7fe3505a8b25ca2b276308c6ceb12b3eb266f7335468a812b1bb
                                                              • Instruction Fuzzy Hash: 7241EDB0C00719CFDB24CFA9C984ADEBBB6BF89304F24806AD409AB255DB716945CF90
                                                              Function 01614514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 016159C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 189edc62155822fc45f3a08062abc662e7e686ede07a51be227682c4a76b0438
                                                              • Instruction ID: 3fd7b9370ca0febec5ad8bffaf2abb415b17bf14661d56a0c4509f86f2f66d1c
                                                              • Opcode Fuzzy Hash: 189edc62155822fc45f3a08062abc662e7e686ede07a51be227682c4a76b0438
                                                              • Instruction Fuzzy Hash: 5941E1B0C0071DCEDB24DFA9C884B8EFBB5BF89304F24806AD409AB255DB756945CF90
                                                              Function 07B03BD9 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B03C70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 7c1de51cef23760700e3a0071862ad9cd89eec4e5e3b1232f8527dcb872d48d2
                                                              • Instruction ID: 2e5a0ea11211aaa3473886d7f41ec27609fac4a79bf9747e8015c3b7babd98aa
                                                              • Opcode Fuzzy Hash: 7c1de51cef23760700e3a0071862ad9cd89eec4e5e3b1232f8527dcb872d48d2
                                                              • Instruction Fuzzy Hash: 60212AB69003499FDB10CFA9C885BDEBFF5FF48320F10882AE918A7240C7789550DBA1
                                                              Function 07D87C93 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07D87D2F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707822502.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7d80000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: 0fc19be8669e3dcdfd67422534bf636259899abd8b6c0bef3be91a74cc9c6132
                                                              • Instruction ID: 9eb30f05f8d1928ac045cb28356d68902655d054c95f7c40494addae2be2153b
                                                              • Opcode Fuzzy Hash: 0fc19be8669e3dcdfd67422534bf636259899abd8b6c0bef3be91a74cc9c6132
                                                              • Instruction Fuzzy Hash: 3D21C3B5D002499FDB10DF9AD884A9EFBF5FB48320F24842AE919A7310D775A944CFA4
                                                              Function 07D87C98 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07D87D2F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707822502.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7d80000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: 7d08c2e296926fe5756530242cf2c5c643bbd0bf456110df3f92da313dadf9c2
                                                              • Instruction ID: 5720c75dbee088cfffc2c4eb79fde001b6d0ddd963a140c9dadf0cfd8ad3529e
                                                              • Opcode Fuzzy Hash: 7d08c2e296926fe5756530242cf2c5c643bbd0bf456110df3f92da313dadf9c2
                                                              • Instruction Fuzzy Hash: 9C21C3B5D002499FDB10DF9AD884A9EFBF5FB48320F24842AE919A7310D775A544CFA0
                                                              Function 07B03BE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B03C70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 35cfe146995fc2c8e0f73f160ea5e6b39471e847239d8fa49e70b1d924e2d345
                                                              • Instruction ID: 0b5d3ea45ba22a6b576ed6203b751a69890a4d6048e13f770fde5897c4ce853d
                                                              • Opcode Fuzzy Hash: 35cfe146995fc2c8e0f73f160ea5e6b39471e847239d8fa49e70b1d924e2d345
                                                              • Instruction Fuzzy Hash: F82127B19003499FDB10CFAAC885BDEBBF5FF48320F10842AE918A7240C7789950DBA1
                                                              Function 07B03608 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B0368E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 28b66de88f0ebde27a21610b620993dec5260ce173d2adcb9d2bb8fac5348d2a
                                                              • Instruction ID: 3fc759a6805aae24547a5d4eb0c8a045628f18a0a06965c03fb6945530b9215f
                                                              • Opcode Fuzzy Hash: 28b66de88f0ebde27a21610b620993dec5260ce173d2adcb9d2bb8fac5348d2a
                                                              • Instruction Fuzzy Hash: 232159B190024A8FDB10CFAAC485BEEBBF5EF88324F14846AD419A7340C7789544CFA0
                                                              Function 07B03610 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B0368E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 1fb8e37ac100fa90b55cb45fb716392ef0ea22aeace6cf9062f1ac353a176887
                                                              • Instruction ID: b347f0b5ea61daca4f48f7bb7b9285ddf2750ff350112ad7dc66591858eb2de9
                                                              • Opcode Fuzzy Hash: 1fb8e37ac100fa90b55cb45fb716392ef0ea22aeace6cf9062f1ac353a176887
                                                              • Instruction Fuzzy Hash: 942138B19003098FDB10DFAAC485BAEBBF4EF48324F14842AD519A7340CB789944CFA1
                                                              Function 07B03CD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B03D50
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 6df0d9022ca702ba7bbcac4ae159ad70f2dd816f7fe58f4455011ff806a4a504
                                                              • Instruction ID: 16039d1855de4d337a7c9fb20cd92befbc39f9bdb9e33d42e50b40239ee9d11e
                                                              • Opcode Fuzzy Hash: 6df0d9022ca702ba7bbcac4ae159ad70f2dd816f7fe58f4455011ff806a4a504
                                                              • Instruction Fuzzy Hash: 1721F8B1D003599FDB10DFAAC885ADEBBF5FF48320F10842AE519A7250C7799544DBA1
                                                              Function 0161D688 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0161D70F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 58fe190e002d4443624ca89185d30f9b3c493d9668e7243e034126cc160bf8bb
                                                              • Instruction ID: ae5c6f5ddfede3b0bf6d51d1258ed3b7c048b322eeb3e867a09dfcbb36bff1ba
                                                              • Opcode Fuzzy Hash: 58fe190e002d4443624ca89185d30f9b3c493d9668e7243e034126cc160bf8bb
                                                              • Instruction Fuzzy Hash: 1D21E4B59002489FDB10CFAAD984ADEBFF8EB48324F14841AE914A7310D374A940DF61
                                                              Function 0161D681 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0161D70F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 146725d66647a12e02dc07c6bda48338f77696291d5878b4a9396baebcd7d0af
                                                              • Instruction ID: a640af6fab6c95206004336f5b802ba36a28b25dd9c3a21b5f3f9b5ce7ffcd81
                                                              • Opcode Fuzzy Hash: 146725d66647a12e02dc07c6bda48338f77696291d5878b4a9396baebcd7d0af
                                                              • Instruction Fuzzy Hash: 2C21F3B5900249DFDB10CF99D984ADEBBF4EB48324F24841AE914A7310D379AA40DF61
                                                              Function 0161A188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0161B079,00000800,00000000,00000000), ref: 0161B68A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: a3f0920d3143b797fc046602dc7bfc251a33ed9578bddd2c4cebd3d048b3b8a1
                                                              • Instruction ID: 9367773c6c7ef737b02a3e0aa7a377c62dc82656cfef01b7b03d7b37480dfc3b
                                                              • Opcode Fuzzy Hash: a3f0920d3143b797fc046602dc7bfc251a33ed9578bddd2c4cebd3d048b3b8a1
                                                              • Instruction Fuzzy Hash: 8E1112B68003599FDB10CFAAC844B9EFBF4EB98320F14842AE519A7300C375A545CFA5
                                                              Function 07B03558 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 689fec9d741ee908506e41ad606cf2761f1f6aeb4678e3a7d2675e6ed6d28767
                                                              • Instruction ID: 40154bd29032df65fb1a18b2efb4b475226f3411fd0f91ff49e55c8fff5a8136
                                                              • Opcode Fuzzy Hash: 689fec9d741ee908506e41ad606cf2761f1f6aeb4678e3a7d2675e6ed6d28767
                                                              • Instruction Fuzzy Hash: 5E1149B19002499FDB20DFAAD445BDEFFF4EF88324F24841AD519A7640CA75A540CBA1
                                                              Function 07B03B20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B03B8E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 2348194647f2b78ce1cb5af7de5864c0c88752830256f269a347c083f05fb2dd
                                                              • Instruction ID: 74f545d771af12266a46345ec13928af3cfa1a1b2b315eb9803678cdc35493f8
                                                              • Opcode Fuzzy Hash: 2348194647f2b78ce1cb5af7de5864c0c88752830256f269a347c083f05fb2dd
                                                              • Instruction Fuzzy Hash: 0E1137B29002499FDB10DFAAC845BDEBFF5EF88324F24881AE519A7250C775A540DFA1
                                                              Function 0161B619 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0161B079,00000800,00000000,00000000), ref: 0161B68A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: d3f9f3e7286cef9d2dd9861b60a20c04d9b7bef6ac8d293c1f2b32c815f497f5
                                                              • Instruction ID: 0f16eb948b3cb70e7056fffd6aa44b154ea177877274bd57cafc6bd55681addc
                                                              • Opcode Fuzzy Hash: d3f9f3e7286cef9d2dd9861b60a20c04d9b7bef6ac8d293c1f2b32c815f497f5
                                                              • Instruction Fuzzy Hash: 9B1123B6C003488FDB10CF9AC440BDEFBF0AB59324F14892ED529A7610C379A505CFA4
                                                              Function 07B03560 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 8d3484c9dd02454737e8f6f0c733c8b04efc6366256a5c47e78a26d6236f17be
                                                              • Instruction ID: 6acd09cfa5c5f5c0e78566e2c20de3b026bc33a84e67a074878278fcc0780463
                                                              • Opcode Fuzzy Hash: 8d3484c9dd02454737e8f6f0c733c8b04efc6366256a5c47e78a26d6236f17be
                                                              • Instruction Fuzzy Hash: E51128B19002498FDB20DFAAC445B9EFFF5EB88324F24881AD519A7250CA75A540CB91
                                                              Function 07B08638 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B0869D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 7db29d78f4942c7d29a0befb60241f65c57769d1516865c2c74a9a4420468e04
                                                              • Instruction ID: 4e5a259c7348cccae8f94e85a00d55890fa58eb2b341c4379d652df2d3f29f47
                                                              • Opcode Fuzzy Hash: 7db29d78f4942c7d29a0befb60241f65c57769d1516865c2c74a9a4420468e04
                                                              • Instruction Fuzzy Hash: DD1125B58003499FDB10DF9AD945BDEBFF8EB48324F10894AE518A3790C774A540CFA1
                                                              Function 0161AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0161AFFE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: e717e65746396a0f7c57493cf130edf8e780e8c3c6553d000dfadbc5b5a04088
                                                              • Instruction ID: fcfaa84554919132c855de991f7d54ae785bf71edc6a2c023bef9ab9e99b18bf
                                                              • Opcode Fuzzy Hash: e717e65746396a0f7c57493cf130edf8e780e8c3c6553d000dfadbc5b5a04088
                                                              • Instruction Fuzzy Hash: 2611DFB5C002498FDB24CF9AD844B9EFBF4AB88224F14841AD529A7610D379A545CFA1
                                                              Function 07B02510 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B0869D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 690e619b737a09f9d9c431bf2e7c5b5edc0e8671df6c198bb85560eb425a080c
                                                              • Instruction ID: f3e532627cc9c41bd91339e0ea65356fee03aa529f3690184f9bf358a004d399
                                                              • Opcode Fuzzy Hash: 690e619b737a09f9d9c431bf2e7c5b5edc0e8671df6c198bb85560eb425a080c
                                                              • Instruction Fuzzy Hash: 1311F5B58003499FDB10DF9AD545BDEBFF8EB48324F10845AE518A7340C375AA44CFA5
                                                              Function 0161B6C1 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0161B079,00000800,00000000,00000000), ref: 0161B68A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 3b63e1e01deae2f5bc34f4f36b0ccdd5cfef727d09fdeaebc5c70e8c2ba72171
                                                              • Instruction ID: 575b4018f78680462df15eb48e216ac1ec9380f2cf815464318d2873d0ac2358
                                                              • Opcode Fuzzy Hash: 3b63e1e01deae2f5bc34f4f36b0ccdd5cfef727d09fdeaebc5c70e8c2ba72171
                                                              • Instruction Fuzzy Hash: 02015EB69043548FDB148FA9D8047DABFF4AFA5324F18845ED144D7211C3799445CBA4
                                                              Function 058B91CC Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (jq
                                                              • API String ID: 0-3225323518
                                                              • Opcode ID: 9afac5a45010a51a5556ed0d96f8eb6a411e3469183073286c04049622d9078e
                                                              • Instruction ID: 0b43554091e1d395999964328c563159d740c3cd1e6b94301526b8ab3022d234
                                                              • Opcode Fuzzy Hash: 9afac5a45010a51a5556ed0d96f8eb6a411e3469183073286c04049622d9078e
                                                              • Instruction Fuzzy Hash: 8991BE70A05208DFDB18DFA9D444AAEBBFAFF84310F10846AE855E7351DB74AC45CBA1
                                                              Function 058B2690 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHfq
                                                              • API String ID: 0-2154135885
                                                              • Opcode ID: 82f197654ef3731c65b0ed7b8fd7424424cd8f8f8a9f7938681d5870f25ed72c
                                                              • Instruction ID: 5931c3fc0f601566649473409c0a51de4f07142996bafd90b2b7cc1680c2bef0
                                                              • Opcode Fuzzy Hash: 82f197654ef3731c65b0ed7b8fd7424424cd8f8f8a9f7938681d5870f25ed72c
                                                              • Instruction Fuzzy Hash: 66517938B042448FEB149B79D858AEDBBFABF49215F144069E817EB390CB749C44CB64
                                                              Function 058B3110 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq
                                                              • API String ID: 0-2007657732
                                                              • Opcode ID: f0830ce909fa40914a5afc43cced9cef681c7a62355ab2a34953062f2685d9e0
                                                              • Instruction ID: 3cc4d36f7fc265addb3c9ed31fc4cbbda7befbf980439b9c2d3e3e09cef7fbb7
                                                              • Opcode Fuzzy Hash: f0830ce909fa40914a5afc43cced9cef681c7a62355ab2a34953062f2685d9e0
                                                              • Instruction Fuzzy Hash: 14017C30A1020AEFCB44EFB8E5995AC7FF1FF48200F1044ADE809A7361EE352E448B45
                                                              Function 058B3120 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq
                                                              • API String ID: 0-2007657732
                                                              • Opcode ID: 645afed79f4d1bac89a9faa34e44ca99dbd6e9b4f6e5e736b320cbc0ae689a45
                                                              • Instruction ID: d24acdd0207fa96e5baf4cd43fae7303eda01f56780a156a2066ed3594fdf450
                                                              • Opcode Fuzzy Hash: 645afed79f4d1bac89a9faa34e44ca99dbd6e9b4f6e5e736b320cbc0ae689a45
                                                              • Instruction Fuzzy Hash: D1F01D70A0110AEFCB44EFB8E55559D7FB5FB44200F1044ADD805A7250DE352E449B45
                                                              Function 058BCDF8 Relevance: .6, Instructions: 551COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4797fc98c72db198a63ce968fa42d4e09b928451e74354e9a5811e546c051dfe
                                                              • Instruction ID: 1afde5ad30dbfe85f0a9d8da7fcb2016d4b3c085a3ab27b6ef3a58d685b330f9
                                                              • Opcode Fuzzy Hash: 4797fc98c72db198a63ce968fa42d4e09b928451e74354e9a5811e546c051dfe
                                                              • Instruction Fuzzy Hash: 9F42E931E1075A8BDB24DF68C8946EDB7B5BF49304F1086A9D859BB311EB70AE85CF40
                                                              Function 058BCDE8 Relevance: .3, Instructions: 332COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9caf569406f60571b7267a10892f0277e2bfefa03365ec9493e4b2717070b730
                                                              • Instruction ID: 3b38438bbaa1e5fcefb668a4af519d5effae7df5e2a63a416349fa06b7914151
                                                              • Opcode Fuzzy Hash: 9caf569406f60571b7267a10892f0277e2bfefa03365ec9493e4b2717070b730
                                                              • Instruction Fuzzy Hash: 38E1F931E006598BDB24DF68C894AEDB7B6BF49304F1086A9D859FB351DB70AE85CF40
                                                              Function 058BF820 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9efbf6bd1aadd178725a847a67e4e628c89cf048962147729d36218df130b9f
                                                              • Instruction ID: 4956c24f6a138450239e84a7be361990c71f05dc8358e682261587bfc3fdc9b2
                                                              • Opcode Fuzzy Hash: c9efbf6bd1aadd178725a847a67e4e628c89cf048962147729d36218df130b9f
                                                              • Instruction Fuzzy Hash: C591167190060ACFCB41DF68C8809D9FBF5FF49310B14979AE919EB215EB70E985CB80
                                                              Function 058BEBA0 Relevance: .2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a57ac87cbb9f9276bebf8919e2058684df89c5cf7e579dcacef71115b0f32a5
                                                              • Instruction ID: 73bf49d43aa0fe7c17685c50c0dff38ba28e4a49f24336aaa3230be476e1a644
                                                              • Opcode Fuzzy Hash: 2a57ac87cbb9f9276bebf8919e2058684df89c5cf7e579dcacef71115b0f32a5
                                                              • Instruction Fuzzy Hash: AE81BDB5600A008FC718DF29C59899ABBF6FF89314B1589A9E54ACB372DB71EC41CB50
                                                              Function 058B04E8 Relevance: .2, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b87e7b3414315d02168258354d8278f198af119223e9428c57704709a1de607d
                                                              • Instruction ID: dbcdedf8b654d7547796b091b9471f8ca8e748cf3909c1787fddc839ded1d3c6
                                                              • Opcode Fuzzy Hash: b87e7b3414315d02168258354d8278f198af119223e9428c57704709a1de607d
                                                              • Instruction Fuzzy Hash: C0517D30A0020ACFDB25EBA9D4986BEBBB6EFC5304F148529D806E7354DF749D46CB81
                                                              Function 058BE9C0 Relevance: .2, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a154e4b5edd9456e30f0caefb8d0abfd2f84cef0ef7bf7a9e03c8748c54022c0
                                                              • Instruction ID: 49ad5f88acabdcce272a0e06596f039a8f33d99c095b679f7ed06d1284356469
                                                              • Opcode Fuzzy Hash: a154e4b5edd9456e30f0caefb8d0abfd2f84cef0ef7bf7a9e03c8748c54022c0
                                                              • Instruction Fuzzy Hash: A87190B4A002068FDB54CF68D584999FBF5BF48314B0986A9E80ADB312E774EC85CF90
                                                              Function 058B1AD1 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8db9a0d24d1f5eb704f2b12ccd7296b797f21d5b6ea64b684cbd9fa21d183194
                                                              • Instruction ID: b2d33e88ddf63a8499876e877df817429e214a886f19a8a64353178f98a88796
                                                              • Opcode Fuzzy Hash: 8db9a0d24d1f5eb704f2b12ccd7296b797f21d5b6ea64b684cbd9fa21d183194
                                                              • Instruction Fuzzy Hash: 9471AF34A01209AFDB14DFA9D898DAEBBB6FF89314F154498F901AB361D771EC81CB50
                                                              Function 058B8844 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 38ad6b2e581552a579c3badad4d779e2b8b99a9c1fc486f53188fab19450482e
                                                              • Instruction ID: 1fe5bf2337dc597ee6383caa309cf10a8c649f98374a8145ccea9b859639a2cb
                                                              • Opcode Fuzzy Hash: 38ad6b2e581552a579c3badad4d779e2b8b99a9c1fc486f53188fab19450482e
                                                              • Instruction Fuzzy Hash: AC514270E002599BDB54DFAAC854AEFBFF9EF84310F10841AE955E3350EB749905CBA1
                                                              Function 058BE1C7 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 630365e60b9b56d9dfb1148281c2d6971475848a6be966908e6ca53a6209f30b
                                                              • Instruction ID: b79f4aeab9bc662b016a087d962ea6119b459a0f50f08d4ac14ab862cf726514
                                                              • Opcode Fuzzy Hash: 630365e60b9b56d9dfb1148281c2d6971475848a6be966908e6ca53a6209f30b
                                                              • Instruction Fuzzy Hash: 9551D8727001158FCB15EB68E8449AAB7BAFFC8315B15426EE905DB325DF71EC41C790
                                                              Function 058B4298 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b994e2ae052154da79f7a24b0daf9a0eefe743c8fea9d2d22503d33912db4b9f
                                                              • Instruction ID: 898b9a481d176652b4ec7bbde73e6cd8ae2ebd84b7b4889efe97eb57a676fa18
                                                              • Opcode Fuzzy Hash: b994e2ae052154da79f7a24b0daf9a0eefe743c8fea9d2d22503d33912db4b9f
                                                              • Instruction Fuzzy Hash: ED51C334A0460A8FCB18EF78D4944AEBBB6FF85310714866DD80ADB351EF31AD06CB91
                                                              Function 058B3B71 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc02ccea783fccecc4dd011d9c981a04cfe9f1a6a1cd7db52d514fe61e11b1fe
                                                              • Instruction ID: d0d08dc3d308cee95551c053e086b5e3a1bd611d2fb444003bccd5033236f1d6
                                                              • Opcode Fuzzy Hash: cc02ccea783fccecc4dd011d9c981a04cfe9f1a6a1cd7db52d514fe61e11b1fe
                                                              • Instruction Fuzzy Hash: A951F334A106098FCB04EF68C8989ADBBB6FF89700F1585A9E5069B375EB71AD45CB40
                                                              Function 058BF810 Relevance: .1, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67b196e0d5526a02b242a8de0a434e7f040431adc3b74315155a8684c0022ac4
                                                              • Instruction ID: ec598cca4e8a15dd1cc5d3dc102fbb3d432e5dd3dfb2fd964cc66b68d90f7b86
                                                              • Opcode Fuzzy Hash: 67b196e0d5526a02b242a8de0a434e7f040431adc3b74315155a8684c0022ac4
                                                              • Instruction Fuzzy Hash: CD51F97191070ACFCB41EFA8C8809D9FBB5FF49310B14975AE859EB255EB70E985CB80
                                                              Function 058B3B80 Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81d0d836d88a66d74762b97353185d605ea71f3d3e5fac27cc0783947781d05b
                                                              • Instruction ID: 0fcc9efd4870cc549602e9ceb0838bef636cd58f7c3c5181612934445c85de22
                                                              • Opcode Fuzzy Hash: 81d0d836d88a66d74762b97353185d605ea71f3d3e5fac27cc0783947781d05b
                                                              • Instruction Fuzzy Hash: 7C51E434A10609CFCB04EF68C8989ADB7B6FF89700B1585A9E506DB375EB71ED45CB40
                                                              Function 058BDA83 Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 315de9b18d23cba667e0edf5c12db23d982e761589aa88bae73cb75263c0d1bc
                                                              • Instruction ID: 15e93c31d3777d7782bcb9b24f31593a33a1f5026bc05d563049f2e42fb8eb30
                                                              • Opcode Fuzzy Hash: 315de9b18d23cba667e0edf5c12db23d982e761589aa88bae73cb75263c0d1bc
                                                              • Instruction Fuzzy Hash: 3E512C34A0070ADFCB04EF68D8849DDB7B6FF89304F058559E515AB325EB71AD46CB81
                                                              Function 058B1F28 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 819e1cc1da219ba294c789d26adda6c194c57c608c966de5587c626fe1faea89
                                                              • Instruction ID: 8172a7e133437ac11382ed95f0ed150547c72cdb9191aa25a3a5e65819024570
                                                              • Opcode Fuzzy Hash: 819e1cc1da219ba294c789d26adda6c194c57c608c966de5587c626fe1faea89
                                                              • Instruction Fuzzy Hash: 2A412934B141598FDB14DB69C898EADBBFABF49714F1440A9E902EB3A2DB71DC01CB50
                                                              Function 058B0006 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21f3d2807a0682d35df6c95e37de98c8652a41e0da10009f32deffece553c56f
                                                              • Instruction ID: 69967ba122121aa569b3de294c25bd1790db6b04fce5f5c4b5fbdb8611591260
                                                              • Opcode Fuzzy Hash: 21f3d2807a0682d35df6c95e37de98c8652a41e0da10009f32deffece553c56f
                                                              • Instruction Fuzzy Hash: 54516C30604245CFCB15DFA8D994A9EBBF2FF49304F1484ADE856AB365CB71AC44CB51
                                                              Function 058B5718 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35900fbb7737cdec2aeb7035cd4a75f3378830e7b487f5d48577d8b95c356608
                                                              • Instruction ID: 961dd8acec93b8c1242126bcfbd8fa635722a059bebda67b16aa06fae1aa2ea3
                                                              • Opcode Fuzzy Hash: 35900fbb7737cdec2aeb7035cd4a75f3378830e7b487f5d48577d8b95c356608
                                                              • Instruction Fuzzy Hash: 84414A74E00619CBEB25DF68EA44AEEBBF9FB48314F144129D805E7350EB75AD01CBA4
                                                              Function 058B0B40 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfa056211f41f45deb969f9dfc340109be484e0cf17df8d64071476fa601c620
                                                              • Instruction ID: d81bb2538ccce3ad0bcb5431c8b2a70d83f077624597153ccf24ac50b327beac
                                                              • Opcode Fuzzy Hash: cfa056211f41f45deb969f9dfc340109be484e0cf17df8d64071476fa601c620
                                                              • Instruction Fuzzy Hash: 9951E635A01209EFDB10DF94D598AEEBBF6FF88310F208069E905A7351CB71AD51CB51
                                                              Function 058B02C0 Relevance: .1, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1004fba8b3e6c1b610af490dc7a3eaf60072d289d590a513729b3984529e89be
                                                              • Instruction ID: 556665c6326cd60b222ea698baeacd00ce30e2147582b423273a5515dd7079f9
                                                              • Opcode Fuzzy Hash: 1004fba8b3e6c1b610af490dc7a3eaf60072d289d590a513729b3984529e89be
                                                              • Instruction Fuzzy Hash: 4A410734A00219CFDB54DFA8C888BDEB7B5BF48714F144069E906EB3A1DB79AC01CB60
                                                              Function 058B0040 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57159e1ad3d978d50046383b710b03f3269ecee735da6e3b4a74ebbdc23c9bb4
                                                              • Instruction ID: 2862828e7442bfbb8b4edd197bcd931e5ca2fbd6bfb335f7a6b89259a922c09d
                                                              • Opcode Fuzzy Hash: 57159e1ad3d978d50046383b710b03f3269ecee735da6e3b4a74ebbdc23c9bb4
                                                              • Instruction Fuzzy Hash: 36413C30A00205CFCB15EBA8D985ADEB7F2FF88315F14856CD916AB364CB72AC44CB50
                                                              Function 058B4470 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b7f6265cd2935ff6e216c6ef8820033c0d05a393e6a5bc68a888a3fa402f970
                                                              • Instruction ID: 57dd821870a15c9fec5df1d2aff23f5a723d3a707a8017ac3d9c7e0ed669ba22
                                                              • Opcode Fuzzy Hash: 3b7f6265cd2935ff6e216c6ef8820033c0d05a393e6a5bc68a888a3fa402f970
                                                              • Instruction Fuzzy Hash: 41414870B006199FDF19DBACD8846EDB7FBAF48204F104129E916E7361DBB4AE41CB85
                                                              Function 058B1058 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c8a84c551db01f164b37524a22a2a2d02aa2d11141f90199624a0b22ee30b1b0
                                                              • Instruction ID: 3c9e3a53a18ce68abf8d93ca3794abe368c26f74bcb313e40dc0115e527d5c52
                                                              • Opcode Fuzzy Hash: c8a84c551db01f164b37524a22a2a2d02aa2d11141f90199624a0b22ee30b1b0
                                                              • Instruction Fuzzy Hash: 7E411D34A1070ADFCB14EF68C8949EDB7B6FF89304F008959E515AB325EB71A946CB81
                                                              Function 058BE1F8 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b42d9130cb376cab34455c19a4ed9468a225fd4417ea425885d78e78583a6a2
                                                              • Instruction ID: 81b0d1f52b9c92f52468eaef34a46972b8be5e05623410850786384e87c2ea4a
                                                              • Opcode Fuzzy Hash: 4b42d9130cb376cab34455c19a4ed9468a225fd4417ea425885d78e78583a6a2
                                                              • Instruction Fuzzy Hash: 5C419232A006158FDB04EF68D8844AAB3F5FF98310B158669E909BB325DB31BD40CB90
                                                              Function 058BE9AF Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6832ffe23d645586ae7f2c3fd00c87c26d1aff1ff3f7844a411274a922ef371
                                                              • Instruction ID: 35fd8bda2ebe7ab06efd3524f2bc50cf3c17242b401246973b9032a1f7bfd33c
                                                              • Opcode Fuzzy Hash: d6832ffe23d645586ae7f2c3fd00c87c26d1aff1ff3f7844a411274a922ef371
                                                              • Instruction Fuzzy Hash: 2B41F8B5A002068FD714CF68C584AE9FBF9FB49310B0986A9E84ADB352D774EC45CB50
                                                              Function 058BE4EB Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b2adfe4345847853efefabb8cf220f1ee5c0347aa7e6317d7c768044389845c
                                                              • Instruction ID: 07ee2a8d92c84e7603dbba60b0867b2c5927fab7ff34d7eb26b019e8596a6782
                                                              • Opcode Fuzzy Hash: 1b2adfe4345847853efefabb8cf220f1ee5c0347aa7e6317d7c768044389845c
                                                              • Instruction Fuzzy Hash: 0E31583260834A4FD7159B68DC80ADABBB9EF91320F54456AE644EB312DF70AC49C7E1
                                                              Function 058B8C1C Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daeca9ba63b35581264c95b299aa30613ea2eeb85216ab32d23948742aae8d32
                                                              • Instruction ID: c15ed49615ebe20f23e4899959a61977b8c2919120811cc347fdbddf50c90ec9
                                                              • Opcode Fuzzy Hash: daeca9ba63b35581264c95b299aa30613ea2eeb85216ab32d23948742aae8d32
                                                              • Instruction Fuzzy Hash: 8541B2B1D002099BDB24DF99C984ADEBBF5BF49304F64802AD909BB310D7B56A49CF90
                                                              Function 058B98EC Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b9b018982472af20f33966051870c94a3384897db9c538c7fe214a655ec4f23
                                                              • Instruction ID: 3a53d00862e305a9b4c4b3f1213e61a265304ea38a0ac33e0c22a2c93266bf70
                                                              • Opcode Fuzzy Hash: 9b9b018982472af20f33966051870c94a3384897db9c538c7fe214a655ec4f23
                                                              • Instruction Fuzzy Hash: 7E41D4B1D002099BDB20DF9AC984ADEFBF5BF48304F24801AE909BB310D7756A45CF91
                                                              Function 058BB7B8 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 37f5696fad5970288f49d3884f1752d7ed33c4328332260d58d104151371a6f9
                                                              • Instruction ID: cd4bcaa7647cbbd717d70a99adecb7ab72d717799881010f87b4a7a2fbbc1622
                                                              • Opcode Fuzzy Hash: 37f5696fad5970288f49d3884f1752d7ed33c4328332260d58d104151371a6f9
                                                              • Instruction Fuzzy Hash: 6E41F575A0020ADFDB40DF69D98499EFBB5FF48310B14C259E918EB325E730A985CF90
                                                              Function 058B8838 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1cf4d16392f92c2855c86cce3772ae35aee33cdad30e82c1bee46cbc577df13
                                                              • Instruction ID: a0771586f44824a8613d9bb26698d8aca3426711621deba5dbc89a7500c69aa6
                                                              • Opcode Fuzzy Hash: e1cf4d16392f92c2855c86cce3772ae35aee33cdad30e82c1bee46cbc577df13
                                                              • Instruction Fuzzy Hash: 4A41BFB0D0025D9BDB14CFAAC884ADEFBB5BF49314F20812AE818AB314D7B46845CF90
                                                              Function 058B2A8C Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46ab7bee82c714aa9e6bf82f3f80242e33e0c43a365b997bedff3903ab2e5361
                                                              • Instruction ID: 7ea95d4a8dd5086997449143f0c205466e3dfcfcb7d3ed12262b51356281e8bd
                                                              • Opcode Fuzzy Hash: 46ab7bee82c714aa9e6bf82f3f80242e33e0c43a365b997bedff3903ab2e5361
                                                              • Instruction Fuzzy Hash: B3319135A00301CBEB14EF28DC856A577B6FF88314F099679DC0AAB35ADF71A854CB50
                                                              Function 058BB7C8 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91706ce8b5a68420ea2be949eb429b18bef88f31640ac4d7a0cbc887dfebad81
                                                              • Instruction ID: 2fb27ac3a60df2f7f807be862000e1f848c971deaf4fb3941ce030c2a424bbec
                                                              • Opcode Fuzzy Hash: 91706ce8b5a68420ea2be949eb429b18bef88f31640ac4d7a0cbc887dfebad81
                                                              • Instruction Fuzzy Hash: EA41F475A0020ADFDB40DF69D98499EFBB5FF48310B14C299E918AB311E730A985CF90
                                                              Function 058BDEF0 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab73f9083a179fc76ee8a47596810c04d82c1880d3edd4f73141a4272137b9af
                                                              • Instruction ID: 3873924c13337db1590b9e12bdf79bb95ec8d44ab539511219cd6dd2b02f00d7
                                                              • Opcode Fuzzy Hash: ab73f9083a179fc76ee8a47596810c04d82c1880d3edd4f73141a4272137b9af
                                                              • Instruction Fuzzy Hash: 2031A771A06219AFDB24DF59D884ADAFBBAFF98315B048169EC45EB301D771EC01CB90
                                                              Function 058BD988 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ef1423f592d1dd5a9ab3de56a16cf0743ff637dd3b9d0cc87c4c30a8e1bb649
                                                              • Instruction ID: 5b1f96b755dfc9b9c4ae3b73fd3f827e63bd94d7610db580baf509ae9347ec22
                                                              • Opcode Fuzzy Hash: 9ef1423f592d1dd5a9ab3de56a16cf0743ff637dd3b9d0cc87c4c30a8e1bb649
                                                              • Instruction Fuzzy Hash: 3031A135B01219DFDF14EF68D8588DDB7BAFF89210B048169E806AB310EB71AD46CB90
                                                              Function 058B0B01 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1dfe0ffb68f1ecda01f947d37eb444d0ce6ab70fd9c5ddde04585500d1ad1055
                                                              • Instruction ID: b252fa0976c4fd038a469fe5ed429f2b40ec83b9e28a811dce47131dacd28690
                                                              • Opcode Fuzzy Hash: 1dfe0ffb68f1ecda01f947d37eb444d0ce6ab70fd9c5ddde04585500d1ad1055
                                                              • Instruction Fuzzy Hash: F8311334A11208EFEB10DF54D598BEABBF6FF48310F248469E905AB761C771AC40CBA5
                                                              Function 058B4860 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2a45adace96d9449b63cf68fa118f818cb3fd7425294de50c85c11fb8772444
                                                              • Instruction ID: 485a31609aac80abab839d5f6b607d1f942bbb6c9388456ba39f68a4635aa347
                                                              • Opcode Fuzzy Hash: d2a45adace96d9449b63cf68fa118f818cb3fd7425294de50c85c11fb8772444
                                                              • Instruction Fuzzy Hash: E531D331900300DBEB14EF28DC8479577B6FF88224F099679DC09AB366DB75A854CB50
                                                              Function 058BC36C Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7f74f6275e15df086cb7a972f8d264db21ccf59a631f1564ce4ba64e28cf0c2
                                                              • Instruction ID: ac6d29e6435ab63bbf1e2ab0ee56920c97fb227402beb69496e6209f979f1284
                                                              • Opcode Fuzzy Hash: c7f74f6275e15df086cb7a972f8d264db21ccf59a631f1564ce4ba64e28cf0c2
                                                              • Instruction Fuzzy Hash: 562173723141024FE714DB2CC8C46A97BE9FF85750B1985B5E54ACF3B6DA75DC009B90
                                                              Function 058B9414 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ba0af109cf58e3403211a47f5591cc27dd1a3ca504b7bb0cd3f127da7cf4828
                                                              • Instruction ID: edcbd6f0050a195cb99666160587eed815418cca5d56ce106bd16acd3915e6d6
                                                              • Opcode Fuzzy Hash: 4ba0af109cf58e3403211a47f5591cc27dd1a3ca504b7bb0cd3f127da7cf4828
                                                              • Instruction Fuzzy Hash: 77313CB5E043489FDB14DFAAD444ADEFBF9EF48220F14845AE919E7300D774A905CBA1
                                                              Function 058B1FAE Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d473647f209ba15c8ecb9139a7fa3082eb4edfc7fbf678464d307b68d56df5f
                                                              • Instruction ID: 7fd12df3e3953498b2a31297c28b86bd32607b552cab3f06c7a9f36d3f8d54c0
                                                              • Opcode Fuzzy Hash: 8d473647f209ba15c8ecb9139a7fa3082eb4edfc7fbf678464d307b68d56df5f
                                                              • Instruction Fuzzy Hash: 783136347151558FEB14DBA9C898EADBBFABF49705F1440A9E902DB3A2CBB1DC01CB50
                                                              Function 058B4460 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 498caa6e846066ca8f51ae9185e771e689dc1758d0f31c911f3151ea65f17b98
                                                              • Instruction ID: 0b2ae00295e6bae13fa8ec58f10c40b7e8b8e45236474c25a5d2d12f465dd1a2
                                                              • Opcode Fuzzy Hash: 498caa6e846066ca8f51ae9185e771e689dc1758d0f31c911f3151ea65f17b98
                                                              • Instruction Fuzzy Hash: 5C319C70B006199FDF14DBA9D8846EDB7BABF48200F10412AE906E7361EBB09E41CB91
                                                              Function 058B9A70 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9142e6590c623ac6f65f8d5632887805b8f44e678edf50ccfcfc4d9d45940b4
                                                              • Instruction ID: 52061f281125193124e0afb81a4d14d31bfd578c8d683e882d13b6e31d839a00
                                                              • Opcode Fuzzy Hash: c9142e6590c623ac6f65f8d5632887805b8f44e678edf50ccfcfc4d9d45940b4
                                                              • Instruction Fuzzy Hash: DD2182B1B012555BDB54DB6DC814AFFBBFEEFC4640F14811AE914D3350EAB09E018BA1
                                                              Function 058B97F0 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a09a63e5f4a802eb02c828cc01ba9cb872739c648a458b942da6b41f9aee1b52
                                                              • Instruction ID: fe2524d2c8f9aca9900c696425d6b744e7cca7e48b1fe93a68a3a82827382e4b
                                                              • Opcode Fuzzy Hash: a09a63e5f4a802eb02c828cc01ba9cb872739c648a458b942da6b41f9aee1b52
                                                              • Instruction Fuzzy Hash: F3218071A002058FC710DF69D8859DBBBFAFF85210B548969E906DB360EF71EC098BA1
                                                              Function 058BDBD7 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3b25fd87a4c628f288c0dce7367ba7612b62fd97bd4a1668b596e95e05429eb
                                                              • Instruction ID: a530d340704484bc11f6f50d962e33d04729645be9d7524d4d0f07ab75ac8726
                                                              • Opcode Fuzzy Hash: b3b25fd87a4c628f288c0dce7367ba7612b62fd97bd4a1668b596e95e05429eb
                                                              • Instruction Fuzzy Hash: 80319E34A002058FDB00DFA8D884BDDBBB5FF85305F008569D5599B324EBB1A986CB90
                                                              Function 015BD3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696110396.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15bd000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ed8d4a8bc0a899d8249709c03888a9737dfa3b44f668168fdb26ef2b76104e7
                                                              • Instruction ID: 40355bc5b962cf5e8edc74d3d5a0095095e1b501bbd7fb19a3054a20e9c9a2a0
                                                              • Opcode Fuzzy Hash: 2ed8d4a8bc0a899d8249709c03888a9737dfa3b44f668168fdb26ef2b76104e7
                                                              • Instruction Fuzzy Hash: F02106B1504204DFDB05DF58D9C0BAABFB5FB84328F24C969E9090F256C37AE456CAA1
                                                              Function 058BE118 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8df772e7f5297cc7a5be50fc05b1ce846fa87fb4ca9ec55adefb1666ec9ccf8d
                                                              • Instruction ID: 32ca9d5f85e8b362c77999ad82074e5a3a82bc4550564c4606e27e0d5f7debd2
                                                              • Opcode Fuzzy Hash: 8df772e7f5297cc7a5be50fc05b1ce846fa87fb4ca9ec55adefb1666ec9ccf8d
                                                              • Instruction Fuzzy Hash: 4C21D7317007058FD725BB68D8085EEB77AFFC5222F14466EE90A97310DF75AD428791
                                                              Function 058B4178 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6893738ddbeaf0c0cb4b2181a7bf225f7b1390f8cb4f77e26463db8c6374dc44
                                                              • Instruction ID: 2c69564da1860dee556ed49be629b349175a31ee0496bb80681e8dd96cf67b83
                                                              • Opcode Fuzzy Hash: 6893738ddbeaf0c0cb4b2181a7bf225f7b1390f8cb4f77e26463db8c6374dc44
                                                              • Instruction Fuzzy Hash: AE217F303002108FDB15DB38C855A6577EAFF86614B1584AEE906CB3B2DBB2DC46CB50
                                                              Function 015CD01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696324181.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15cd000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 491f4a59adae21439e6a8230e6e31abf9864b77266b1b498934dfe9127f76821
                                                              • Instruction ID: 7e9ab130d335852ee2d05cdcaa1b5b3444bef37217652abd8f8c1052db7b2fd4
                                                              • Opcode Fuzzy Hash: 491f4a59adae21439e6a8230e6e31abf9864b77266b1b498934dfe9127f76821
                                                              • Instruction Fuzzy Hash: 2521F1755042009FCB15DF98D5C0B26BBB5FB84754F20C96DD90A9F246D33AD407CAA1
                                                              Function 015CD1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696324181.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15cd000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d71790f0fa55f35e2818e28dfaeb2b644e052e4a2c6f014ae6ff4d189aa7b707
                                                              • Instruction ID: 83e1299d184a0270be0c5e2e30492db0ad3a72584ef3a334f0e70a89edd6e911
                                                              • Opcode Fuzzy Hash: d71790f0fa55f35e2818e28dfaeb2b644e052e4a2c6f014ae6ff4d189aa7b707
                                                              • Instruction Fuzzy Hash: D121F5B1504200EFDB05DF98D9C0B26BBB6FB84724F24C97DE9498F252C33AD446CAA1
                                                              Function 058B9490 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 426639fab0a664e58dba60c4a7c5bff3c3b8d81f4f86f5adc54bd4aacb2603a8
                                                              • Instruction ID: b6e2fa33fef386ee492eb8438784a483859ef4b0b4f938de6533759496c72053
                                                              • Opcode Fuzzy Hash: 426639fab0a664e58dba60c4a7c5bff3c3b8d81f4f86f5adc54bd4aacb2603a8
                                                              • Instruction Fuzzy Hash: 85219275E0020A8BDF04DBA988805EEB7BBFF89340F14452AD905E7354EB748E01C7A1
                                                              Function 058B4188 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45b14a2d1777493e3635ae4b4e04bb19c32a5790a67fd6e942c55ef483385023
                                                              • Instruction ID: 720674bba08c30498d436a1c2cf9c1accdccf6c31e3fd08930480a087e2dce23
                                                              • Opcode Fuzzy Hash: 45b14a2d1777493e3635ae4b4e04bb19c32a5790a67fd6e942c55ef483385023
                                                              • Instruction Fuzzy Hash: BB215B303002118FDB58EB7CC895A6977EAEF89614B14846DE906CB3B2DFB2DC46CB50
                                                              Function 058B1220 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e02d62bf82240daf2d4bf2a0e2bfe76985200b0d220be55467f21cbb7c8c7c5c
                                                              • Instruction ID: 0883b3cb40f8bc45d1d7b8ba806cf438057492c9939554cf656b786634515ee2
                                                              • Opcode Fuzzy Hash: e02d62bf82240daf2d4bf2a0e2bfe76985200b0d220be55467f21cbb7c8c7c5c
                                                              • Instruction Fuzzy Hash: 4A21A471B007058BDB54AF68C49469AB7B9FF85310F949A2DDD09AB344EB71BC85CB80
                                                              Function 058BB550 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e81bb212c2d967de50d3b725185d8ec60d65d16107b11f2ff77d38753cd5e68
                                                              • Instruction ID: 93dabeeef262ef40b1a699df9a5939e0f3bfa5d566ccd2fd82048ecdf37e8bb2
                                                              • Opcode Fuzzy Hash: 1e81bb212c2d967de50d3b725185d8ec60d65d16107b11f2ff77d38753cd5e68
                                                              • Instruction Fuzzy Hash: C621213190070D9FCF04EFA8C8449ADB7B5FF89300F51866DE545AB221EB34E985CB41
                                                              Function 058B2B1C Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0007062d8638bd8a05da75b45fb787fcf1e5018a6fd9b3b44ce16a1b2d44f98
                                                              • Instruction ID: 3e5fed879c541987c54b23dd5da9838145a302c2d228fd306180216f8924e27d
                                                              • Opcode Fuzzy Hash: c0007062d8638bd8a05da75b45fb787fcf1e5018a6fd9b3b44ce16a1b2d44f98
                                                              • Instruction Fuzzy Hash: EA213231A0070D8FCF04EFA8C8849EEB7B5FF85300F518569E945AB221EB70E989CB41
                                                              Function 058B3EB0 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b97cf362f6127e8c5f5f14c157372d10099a49dbe72f4a8de911c4e7ae0c949
                                                              • Instruction ID: 947833b3fa3df90e0d81652d1a858163610e6f219452f9cb37edc4021be99396
                                                              • Opcode Fuzzy Hash: 7b97cf362f6127e8c5f5f14c157372d10099a49dbe72f4a8de911c4e7ae0c949
                                                              • Instruction Fuzzy Hash: 1611A231F007164BEB21EEAD88415FEB7BAEBC4610F048A2AD91AE7350DEB49D0187D1
                                                              Function 058BDF00 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3cd25f1aec90344796087616e3f7b9ed85ba6e5c37ce314c791ecbbf6bb1b54
                                                              • Instruction ID: 609fa543acaa38544e1faf651bf418d3c5bee381e9324c986f1bf9e60a92d4c0
                                                              • Opcode Fuzzy Hash: a3cd25f1aec90344796087616e3f7b9ed85ba6e5c37ce314c791ecbbf6bb1b54
                                                              • Instruction Fuzzy Hash: 44213B35A05219EFDB14DE59C8849EDB7BAFB88215B00816AE819EB301D7B0AD44CFA0
                                                              Function 015CD006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696324181.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15cd000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 907f026780e2ef57ce1d1640f4876b8a04ab2a747121d87a07f0747ec917613d
                                                              • Instruction ID: 5fa8e58c3d1e44f4970d4417a37a3a4c3e597693030b31e4dedbbcff7c399cd1
                                                              • Opcode Fuzzy Hash: 907f026780e2ef57ce1d1640f4876b8a04ab2a747121d87a07f0747ec917613d
                                                              • Instruction Fuzzy Hash: 23217F755093808FDB12CF68D594715BF71FB46214F28C5EAD8498F6A7C33A980ACBA2
                                                              Function 058B3EA1 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fde862aeeced5d5512991a6f6431736643d82398ad58bbd96e6c26f9a933aa62
                                                              • Instruction ID: c48071b1f82125b25dbed4dd5b99e5377647d12fe5d21e740573da06419a3002
                                                              • Opcode Fuzzy Hash: fde862aeeced5d5512991a6f6431736643d82398ad58bbd96e6c26f9a933aa62
                                                              • Instruction Fuzzy Hash: 8111E731F006155BEB20DEAD88416FFB7BAEBC4610F14893ADD1AE7340DAB49D0187D1
                                                              Function 058B4788 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e5fb83e87bf4e9be3125e2cc6ebd6495b8e7ef8f19e1a55489c762717d9b402
                                                              • Instruction ID: 75d04f3e3489e72559de15f8c00735a122da241f054602255afb41c6b52b76db
                                                              • Opcode Fuzzy Hash: 5e5fb83e87bf4e9be3125e2cc6ebd6495b8e7ef8f19e1a55489c762717d9b402
                                                              • Instruction Fuzzy Hash: A5217234600705CFD768EB78C444AEAB7BBFF85215F04896DD45A5B360DF71A88ACB82
                                                              Function 058B2A5C Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a7521961911c0dc9e50f618cef30b6ae5327e4f5b8b85c8b729d232d1c3c476
                                                              • Instruction ID: f1a7651ce6dd132c66c6f22f94768270f05e6a828743a28e2113d6ef9485f129
                                                              • Opcode Fuzzy Hash: 5a7521961911c0dc9e50f618cef30b6ae5327e4f5b8b85c8b729d232d1c3c476
                                                              • Instruction Fuzzy Hash: C8216334600705CFD768EB38C484AEA73BBEF85315F00896DD45A5B360DF71A889CB82
                                                              Function 015BD3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696110396.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15bd000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                              • Instruction ID: acec46b936aecfa0bcfc4890bb86f890801eeb761cca9c22315d3a8bd8fa24a1
                                                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                              • Instruction Fuzzy Hash: 5C11DF72404240CFDB12CF44D5C0B9ABF72FB84328F24C6A9D9090F656C37AE45ACBA2
                                                              Function 058B97EF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d5ef6a175e0f1976e0ce73918615b5e1af980465f9b2acce85dbcc2983e2dd5
                                                              • Instruction ID: 1daed9ea475ba881a782b8f0f0fb6763a6022e2ea261de87fc91cb78b75346da
                                                              • Opcode Fuzzy Hash: 9d5ef6a175e0f1976e0ce73918615b5e1af980465f9b2acce85dbcc2983e2dd5
                                                              • Instruction Fuzzy Hash: FF119375A002058FC700DB68C9559EB77FAFFC0210B008969EA06EB364EF70EC088FA1
                                                              Function 058BC909 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8b90271510e8c278aa71a3d947f813d0d30fe4801543a8cdbcb2e50e1796296
                                                              • Instruction ID: ff070f983fbd76287e2b90e539190e2cc50eba531190ec9d95a4f4a07b33ade1
                                                              • Opcode Fuzzy Hash: d8b90271510e8c278aa71a3d947f813d0d30fe4801543a8cdbcb2e50e1796296
                                                              • Instruction Fuzzy Hash: CB11C4363142024BE724DB19D8C57A93BEAFFC9350F188076E90ACB366DA75DC008B90
                                                              Function 058BA2D0 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 376e19c477a791b8cc3d5f72304a684437891e519aedf8dd30d891c5bbe09d0d
                                                              • Instruction ID: 98d2415e765ff9e41f0aed97cd1be6d5412b55b795f9b4d94446784f05d17f12
                                                              • Opcode Fuzzy Hash: 376e19c477a791b8cc3d5f72304a684437891e519aedf8dd30d891c5bbe09d0d
                                                              • Instruction Fuzzy Hash: 1101F5B1B003545BCF02B77C98995EEBFBADF86210F10006AEA14D7381CA340D1683DB
                                                              Function 058B5CD8 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0fb1d5fee70ae40b9902e3238837880de13d156c3e5a1216cfc87b6b7443135
                                                              • Instruction ID: ada8da7982274b530bf686b960d0afa0054d393136e38e57d31fd175d1733a33
                                                              • Opcode Fuzzy Hash: b0fb1d5fee70ae40b9902e3238837880de13d156c3e5a1216cfc87b6b7443135
                                                              • Instruction Fuzzy Hash: 4911C130A002059BEB14EFA4D5587EEB7F6EF88310F544828D906A7390EBB66D04CBA1
                                                              Function 015CD1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696324181.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_15cd000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                              • Instruction ID: 441576d5014f1e4c164105479e05e63765ede433896d91977cbe2b0a7f2673da
                                                              • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                              • Instruction Fuzzy Hash: C111BE75504240DFDB12CF94C5C0B19BB72FB84624F24C6AED8498F656C33AD44ACB91
                                                              Function 058B9434 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b819325e5b20b1da007a901b7953570bda69aca7ed2458f4136f951d8c3983b
                                                              • Instruction ID: 61e8e1b24f8ed375238958f62269a5d66e9d584b9c4d7ca9167e9510bee36e3c
                                                              • Opcode Fuzzy Hash: 8b819325e5b20b1da007a901b7953570bda69aca7ed2458f4136f951d8c3983b
                                                              • Instruction Fuzzy Hash: BF11F3B1D046489FDB10DF9AD444BDEFBF8EB98324F14841AE959A7310D3B8A904CFA1
                                                              Function 058B8C58 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44bd8baf5e5226590333046814207eee0e8f392d98ca2a8fe88fd9b0e788bcc6
                                                              • Instruction ID: 43623aee2dcbd2653942eb6a2f5bd54ecb88ee5bbe9b88f41fffdf03170f12a1
                                                              • Opcode Fuzzy Hash: 44bd8baf5e5226590333046814207eee0e8f392d98ca2a8fe88fd9b0e788bcc6
                                                              • Instruction Fuzzy Hash: E611F3B1D046489FDB10DF9AD444BDEFBF8EB98324F14841AE959A7310D3B8A944CFA1
                                                              Function 058B65B9 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a40ea98e14a0e93f1b93d2810ace2857d7f915df93e3a00b21bc90796cb4520
                                                              • Instruction ID: c7cd469e474bf815154520236ea443cd45b5d87b05afb549274e60e9d8ea660a
                                                              • Opcode Fuzzy Hash: 9a40ea98e14a0e93f1b93d2810ace2857d7f915df93e3a00b21bc90796cb4520
                                                              • Instruction Fuzzy Hash: 75018E71A111059BEB049B68E949AAB7EA6FF88710F044069F806EB354DE75AC008BA5
                                                              Function 058B9D90 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 57f84d01e94cc5f656229c7c0de11a9073a6ea2c60324bae84df709d63617749
                                                              • Instruction ID: 3686235101c33fc051ede7b977fca0f3f368aa91eb83a0c32593f2333e5548ea
                                                              • Opcode Fuzzy Hash: 57f84d01e94cc5f656229c7c0de11a9073a6ea2c60324bae84df709d63617749
                                                              • Instruction Fuzzy Hash: D211F3B5C102499FDB10DF9AD445A9EFBF8EF88320F24841AE859A7310D778A544CFA5
                                                              Function 058B5CC8 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f294e71c3d3340f1effbbc34ca7554b3a4d02ed2668216be2c50dfc2f9da9695
                                                              • Instruction ID: 88e36e6d54797a0bb9006d59a6a2b32d21e04fc55d876151e213de69f91c9a80
                                                              • Opcode Fuzzy Hash: f294e71c3d3340f1effbbc34ca7554b3a4d02ed2668216be2c50dfc2f9da9695
                                                              • Instruction Fuzzy Hash: 04018B30A002059BEB18EF64D5697EE7BF6EF84300F548929D902973A0EFB55D04CBA1
                                                              Function 058B65C8 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: feffd6f33fb4519ca5928fc4aa2afd87a8e941dfca1cb79a4f917bfb84ff3328
                                                              • Instruction ID: f25f0c9e6592e768914a70aa8915c5d731cd2d5be4b3629457b97b1dadc6755b
                                                              • Opcode Fuzzy Hash: feffd6f33fb4519ca5928fc4aa2afd87a8e941dfca1cb79a4f917bfb84ff3328
                                                              • Instruction Fuzzy Hash: BC01B571A001059BEB049F58D949BAF7BFAFFC8700F044069E402EB344CE75AC00CBA1
                                                              Function 058BB233 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2ebe4df83911791898838fd6edde74939174f63426a4136e078fdeecdfc3638
                                                              • Instruction ID: 28b1b720b51fce85416fd95e0564bd94b64ee8e6f2b953b2d237ecc4a6ae0103
                                                              • Opcode Fuzzy Hash: b2ebe4df83911791898838fd6edde74939174f63426a4136e078fdeecdfc3638
                                                              • Instruction Fuzzy Hash: C71115B58002488FDB20DF9AD585BDEFBF8EB48324F24841AD959A7300C375A944CFA5
                                                              Function 058BC740 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c629da92c29d92841e47e83e7b8995f3d23fa1085d026c1ce623d9e2da7dfc4f
                                                              • Instruction ID: 81e3882687a213165950962069cfd88d7823bd075ac1624b2675699ace9b9da4
                                                              • Opcode Fuzzy Hash: c629da92c29d92841e47e83e7b8995f3d23fa1085d026c1ce623d9e2da7dfc4f
                                                              • Instruction Fuzzy Hash: E801DB353146104BEB19B73D94187ED3BA99FC5A11F044079DC46C7391DFA58C01C796
                                                              Function 058BB238 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 663cf8cc1492796180924574f82a62860be9d4a672e126f0fe9bda4fb49e66c5
                                                              • Instruction ID: 500dca87390d9ff7039c8d1a8e720ecb2f2710ead4cf68c38ad159ff077f8535
                                                              • Opcode Fuzzy Hash: 663cf8cc1492796180924574f82a62860be9d4a672e126f0fe9bda4fb49e66c5
                                                              • Instruction Fuzzy Hash: 671112B58002488FDB20DF9AD585BDEFBF8EB48324F20841AD959A7300C378A944CFA5
                                                              Function 058BDCC8 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3acd24fab7d6a109273a4e7dfffa6e2ecd04c28a8786ade3bc9bb2ad0a0fd10
                                                              • Instruction ID: b0980fa0ef5ba4c12caf92b559dbd48206486d207bfc16355ba97eeacc8e6c9d
                                                              • Opcode Fuzzy Hash: a3acd24fab7d6a109273a4e7dfffa6e2ecd04c28a8786ade3bc9bb2ad0a0fd10
                                                              • Instruction Fuzzy Hash: BD012D70601709DFD724EF39C4445AA7BBABF85300B54856ED8869B360EB70DD85CB91
                                                              Function 058B97E1 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcb917241b9a08076a6df513e7349913483cf08ca14fa282434f291850171f79
                                                              • Instruction ID: 1a6e86ee3d6970f72eedd6220d147772ad82e5f56e691503f8f102413ac8c6ad
                                                              • Opcode Fuzzy Hash: bcb917241b9a08076a6df513e7349913483cf08ca14fa282434f291850171f79
                                                              • Instruction Fuzzy Hash: 95F0E2B4A1520DEBE700DF60F981B997FB9FF08304F1086ACE805A3310DA362E05DB95
                                                              Function 058BDCB8 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3464f165bf02b0c020af448a055e42d7ec932e05cebe9467dc10b6cb2be747a9
                                                              • Instruction ID: c324370d4ec44daa6c3814c4c2d4fe27485194e0290e120713b19eca03ed664d
                                                              • Opcode Fuzzy Hash: 3464f165bf02b0c020af448a055e42d7ec932e05cebe9467dc10b6cb2be747a9
                                                              • Instruction Fuzzy Hash: 05019E30601709DFD324EF29D0046AA7BB9FF81300F14892EE8828B360EB70DC81CB92
                                                              Function 058BE09B Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d53637bcefc585bb7143863d874fbe28d0a4994851565f26f4c3f08965d6d216
                                                              • Instruction ID: c1720de64753ec4c0d768ad88436a9b7cdf34e85a2aa60627784bfb709fa7049
                                                              • Opcode Fuzzy Hash: d53637bcefc585bb7143863d874fbe28d0a4994851565f26f4c3f08965d6d216
                                                              • Instruction Fuzzy Hash: 3A01AD31A00B058AD7117A78D4085EEB739FFC1211F11456EE8459B310EF70AE8286A6
                                                              Function 058BA300 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 772a72cf445c082727ddf1d3418b39f940524c16ba9323c8593b64f59fc468f7
                                                              • Instruction ID: 5539e5d81118a778985e6ed3b4359f00141ae3e281185d143ac9ddc35280bc5c
                                                              • Opcode Fuzzy Hash: 772a72cf445c082727ddf1d3418b39f940524c16ba9323c8593b64f59fc468f7
                                                              • Instruction Fuzzy Hash: 09F09671B006195B9F15B6AC5C985FEBBBE9BC9610F100029DB15E7340CE740E0297DA
                                                              Function 058BC34C Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fea6d8b8acd06bf55e2da286e35e320e78102e1412aea9f2a83da216625333cd
                                                              • Instruction ID: 8056eca354e8447711ad79333e5dda308f12d1e185527bbf8cae642146c64228
                                                              • Opcode Fuzzy Hash: fea6d8b8acd06bf55e2da286e35e320e78102e1412aea9f2a83da216625333cd
                                                              • Instruction Fuzzy Hash: 34F024317142178BE628962A8485ABA32DFAFC8A05B48442ABC07C3350CFA0CC02C790
                                                              Function 058B3E11 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a7c9384f9639ab747ccd5c06dfd2cc068e5e94cf2e5bc4069b61edf4bd8c2d5
                                                              • Instruction ID: 761d5806f2486b31446cda41d251222eecac3e6ac64d5689ab63cfa0e4a2373d
                                                              • Opcode Fuzzy Hash: 9a7c9384f9639ab747ccd5c06dfd2cc068e5e94cf2e5bc4069b61edf4bd8c2d5
                                                              • Instruction Fuzzy Hash: 79011D353101118FC754DB68D859A6977EAEFC9611F1540BAE90AC7361CF719C01CB90
                                                              Function 058BC7E7 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0888f3ddb7fd8ac003f37e1f11d69465d948b888a69532d045e4c2a34f616a67
                                                              • Instruction ID: 98457a5e4274629a045e634788473adc2ff8c2a2862a287091da3999b6ec97a8
                                                              • Opcode Fuzzy Hash: 0888f3ddb7fd8ac003f37e1f11d69465d948b888a69532d045e4c2a34f616a67
                                                              • Instruction Fuzzy Hash: 2EF0F031B082128BE6248B269444BBA679EAFC8A01B09012FEC83C7360CBA0CC02C780
                                                              Function 058BE4F8 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2628c7693c953d64cba8a09848ccb117ef08523296248fb1916db03afe65f549
                                                              • Instruction ID: 9ad337a78b93b46e473e233e866a36c8ed10bf4fbbfd2b7703cf886fb02d7f96
                                                              • Opcode Fuzzy Hash: 2628c7693c953d64cba8a09848ccb117ef08523296248fb1916db03afe65f549
                                                              • Instruction Fuzzy Hash: 60F0B4323046024FC7149A6EE88485ABBEAFFC4231300453AE50AC7221CE61AC4587E0
                                                              Function 058BB718 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f0f04fd1197d4d85d42955354ada92647243770beb119622ad44ce458ca1c276
                                                              • Instruction ID: ece031e69c565876c90f1670e71623f83ddf5123fbcc69fbb94cff6591fefbfe
                                                              • Opcode Fuzzy Hash: f0f04fd1197d4d85d42955354ada92647243770beb119622ad44ce458ca1c276
                                                              • Instruction Fuzzy Hash: BF01A235D10209DFCB40EFA8D54599DBBF4EF48210F1082AAE559AB321EB709A44CB91
                                                              Function 058BE0A8 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd732ebf8db2f9b80f3f03cea3edf661cd38e2294cb0fc3afec26ba468203570
                                                              • Instruction ID: c2b1ef87ca76ae9f96dc4e02de1654564bb9941711009498c23100ce843daa56
                                                              • Opcode Fuzzy Hash: cd732ebf8db2f9b80f3f03cea3edf661cd38e2294cb0fc3afec26ba468203570
                                                              • Instruction Fuzzy Hash: 9EF062317007058BDB157A78D4084EEB779FFC5211F15466EDC4997350EF70AE4186E2
                                                              Function 058BDD50 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1337bd8e9768e9ae4d6c4f19cd5f468ab232626525fdf7e29fa3aa6705b78c72
                                                              • Instruction ID: 0902847c29a6fd93877745376165d6815fe338cdeaf0d33441bc415b0ba5e4f2
                                                              • Opcode Fuzzy Hash: 1337bd8e9768e9ae4d6c4f19cd5f468ab232626525fdf7e29fa3aa6705b78c72
                                                              • Instruction Fuzzy Hash: 2BF0A47160270A9BE724EF24C4507EAB7BAFF81340F98896DD885DA350EBB6DD81C740
                                                              Function 058BC760 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 625f6c9f1ab8b4cdb3bf2f2af441bb9381a7f01d6eb56ddf4030dab5e1617749
                                                              • Instruction ID: 1044c7410275a189630b2dae0fd73f0f69e6c3cc0cb26f3debf99d6bba641826
                                                              • Opcode Fuzzy Hash: 625f6c9f1ab8b4cdb3bf2f2af441bb9381a7f01d6eb56ddf4030dab5e1617749
                                                              • Instruction Fuzzy Hash: 44F0823531061187AB59B73E9018ABE77AEAFC4A217144129EC06CB390DFF5CC42C7A6
                                                              Function 058BB728 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                              • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                                              • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                              • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                              Function 058B3300 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da131103bea4e7ad574274cde3f8ec0d6d542e1542e5666fdf02b0516e23db0f
                                                              • Instruction ID: 90be804a4d9f586727276638da640a2e162bea6bcd5b95aea406e93bfbddfc35
                                                              • Opcode Fuzzy Hash: da131103bea4e7ad574274cde3f8ec0d6d542e1542e5666fdf02b0516e23db0f
                                                              • Instruction Fuzzy Hash: 13F0B47A3002059BDB15EF39E9409AE3BADEF8A350B54046DF504CB224DF76EC41CB94
                                                              Function 058BDD73 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec08a45e782e11a03999a5431c715accdae39c35f523baf82ae69c0599001bc2
                                                              • Instruction ID: 91e7a4b1e6fed39c23e45853ef32dc1d63bb3677388401f7c145108a328d1e83
                                                              • Opcode Fuzzy Hash: ec08a45e782e11a03999a5431c715accdae39c35f523baf82ae69c0599001bc2
                                                              • Instruction Fuzzy Hash: 30F024324003489BDB11EF2CE8443D97BF4EF91300F14C55ED4884B202EBB199E8CB81
                                                              Function 058BE958 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b586a38cda2a47f800941035da1ff3eb205c79ae63ffa76e11456a035104ffdd
                                                              • Instruction ID: d1edc6010b87d426a315df8e61bd2c83fc7cac513ce52f97408191262572f449
                                                              • Opcode Fuzzy Hash: b586a38cda2a47f800941035da1ff3eb205c79ae63ffa76e11456a035104ffdd
                                                              • Instruction Fuzzy Hash: 7CF032312052408FC719CB28D598C9A7BF1EF4A60430684DAE48ACB372CBB2EC44CB50
                                                              Function 058B3310 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a4038c5ad92bfe4e0829f3a34f1351179ea726361ff1fa978208d51442e96ad
                                                              • Instruction ID: eea6b3aef194947027ec1bc66c2d80149e49cc0c3764b5da803ed36f62e35b96
                                                              • Opcode Fuzzy Hash: 0a4038c5ad92bfe4e0829f3a34f1351179ea726361ff1fa978208d51442e96ad
                                                              • Instruction Fuzzy Hash: E8F030393002069BDB15AF79D940CAF3BAEEF8A3557544469F608CB228DF76EC05CB94
                                                              Function 058B3A48 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75132b2ca47214a7b82b322088a9567fae5bf65ec6296307b2d16ca00a15d4f0
                                                              • Instruction ID: ca4592b8fc6b894bfea9a5e1b8495a89f4251167717051c1772b8fd051973df1
                                                              • Opcode Fuzzy Hash: 75132b2ca47214a7b82b322088a9567fae5bf65ec6296307b2d16ca00a15d4f0
                                                              • Instruction Fuzzy Hash: 8BE01B717006255B9708EB7EA844466F6DBAFD9510318C57ED50ECB728ED719D014688
                                                              Function 058BAF51 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ccc3d817075a4bd0db9d39bd7f42e4680febdabe5bd34117f8fbc123f3ad9978
                                                              • Instruction ID: e5e5a7f0f0a5538197d3ef0cdac0aa2805aaae550de7b257a85e996a1f552dd1
                                                              • Opcode Fuzzy Hash: ccc3d817075a4bd0db9d39bd7f42e4680febdabe5bd34117f8fbc123f3ad9978
                                                              • Instruction Fuzzy Hash: 5AE012B2B00308ABE705DBAAD844ADABFFDDF84160F14C1AAE808D7315F6719D4186A0
                                                              Function 058BE180 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1fa10f0dc9546f297960070ac3603cd5b001e5c2add4c6c53b1da58d7664aa1b
                                                              • Instruction ID: 11d1e7aa1401c279107be33636c51c5cefa18cc7ac4c6bb2f5f2ad578356b27c
                                                              • Opcode Fuzzy Hash: 1fa10f0dc9546f297960070ac3603cd5b001e5c2add4c6c53b1da58d7664aa1b
                                                              • Instruction Fuzzy Hash: 48E0D8713083411BC315966DAC8084BBF97EFD1310304591FF155CF275DE605C4583D9
                                                              Function 058BC310 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ef22263d4a6814313436c4aacd44f5a83a8be283fc6c6a347a2eb4dd4656ca7
                                                              • Instruction ID: 0d9b700449a8c6c56c8651f58266008ff4843cf13c4e0264c65087ffc7d18bb9
                                                              • Opcode Fuzzy Hash: 7ef22263d4a6814313436c4aacd44f5a83a8be283fc6c6a347a2eb4dd4656ca7
                                                              • Instruction Fuzzy Hash: A2E086317147145FCB18DB1CE88488577F9EF4D31135486BAF40AC7761DE60EC454795
                                                              Function 058B9789 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36a7c3f65ca9210a8c0bcfe4e7f9e0bb43ec62d4388ddc7f5a8a0552b2dae013
                                                              • Instruction ID: 2e3586bd229ab27c24146f904517d34d10d9919e73a96dd90e623bad56454521
                                                              • Opcode Fuzzy Hash: 36a7c3f65ca9210a8c0bcfe4e7f9e0bb43ec62d4388ddc7f5a8a0552b2dae013
                                                              • Instruction Fuzzy Hash: 21E06DB4A00209EBDB00DFA4F941A697BBDFF48310F10965DF809A3220DA362F009B91
                                                              Function 058B32B8 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e448e9cb9ba69658b942b3e94fe9135006dce64b99d38c475f83a5b731fb4bb
                                                              • Instruction ID: 45ab4911213bd5231debd5f8b17454102e9a74f96fec0b78e38ec9c68efb4564
                                                              • Opcode Fuzzy Hash: 6e448e9cb9ba69658b942b3e94fe9135006dce64b99d38c475f83a5b731fb4bb
                                                              • Instruction Fuzzy Hash: DEF0A535D10208EFCB00DFA4E5456CDBBB4FF48200F1082AAE815A3210EB312B45CB85
                                                              Function 058B2ACC Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24cebe879086b3245ed7a2f8a32da875fd7e5511b5c5b16b86ea4eee8e247d1b
                                                              • Instruction ID: cb143f46c9018665a1f4e86be1b296409741494c862b94dc3453fc0af2206153
                                                              • Opcode Fuzzy Hash: 24cebe879086b3245ed7a2f8a32da875fd7e5511b5c5b16b86ea4eee8e247d1b
                                                              • Instruction Fuzzy Hash: 90E08C303146099FC718DA1CE8808AAB3EAEF8C3107908A69F40AC7360CEA0EC044684
                                                              Function 058B5DA4 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16f908afc33217fb23a041d652f20ad5e7514ca0c6aa9c454b9e32e9934ab09c
                                                              • Instruction ID: c6ee76319629f3e034ef60e2c6550c743ee2217069bd0eaa3d8ccd1a0a22bcce
                                                              • Opcode Fuzzy Hash: 16f908afc33217fb23a041d652f20ad5e7514ca0c6aa9c454b9e32e9934ab09c
                                                              • Instruction Fuzzy Hash: 19F01535A00208CFDB14DFA4D5486ECB7B5FB48261F2404A9D802E3380DB721E40CB61
                                                              Function 058B3A38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c03df7db8aeefcc5c3b423caf8bc2f93a01aed4e9b35683ddcf45d5199a48ad
                                                              • Instruction ID: 63b30f571355e3bd8bde2d9031b7cd1ae27eba4756b99064e3e9db5dbba81ab9
                                                              • Opcode Fuzzy Hash: 3c03df7db8aeefcc5c3b423caf8bc2f93a01aed4e9b35683ddcf45d5199a48ad
                                                              • Instruction Fuzzy Hash: 5DE0866120461527C7089ABF68099A6B7ABAFC5504B1CCA7ED84A87609EDB1590146C5
                                                              Function 058B10F8 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c79eed2e4d357a2e2f8fd3d282f71f253b6f91a962ec54c8ed608d031ae51ad4
                                                              • Instruction ID: cff794cdffabd346334c5d82124435a719fe3a933d12cc49f8511941c6d913cc
                                                              • Opcode Fuzzy Hash: c79eed2e4d357a2e2f8fd3d282f71f253b6f91a962ec54c8ed608d031ae51ad4
                                                              • Instruction Fuzzy Hash: D8D0A7313013349B8B2477B9741C5BD339EFA44566700007AF90EC7340DE618D0193C5
                                                              Function 058B9798 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 382d59197c1bbceca36b54a57b5608feefca7836a557ce6a668bd2f0c6dd575e
                                                              • Instruction ID: 99c330fd986b89ea03caafe62828859c4cf4a7e4b7c458232e8b99b421532b0c
                                                              • Opcode Fuzzy Hash: 382d59197c1bbceca36b54a57b5608feefca7836a557ce6a668bd2f0c6dd575e
                                                              • Instruction Fuzzy Hash: 21E04FB5A0020DEBDB00DFA4E54156C7BB9FF48310F10895CE805A3210DA322F109B51
                                                              Function 058B32C8 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5aedeef8eded91580e1ed772abc1b9e4af3f911f68f22d4c6e051441510d3b79
                                                              • Instruction ID: 9b5b4ff48282d3dd49c9cf0c6141b91f1a8410495a0f53008dec24ac994192f8
                                                              • Opcode Fuzzy Hash: 5aedeef8eded91580e1ed772abc1b9e4af3f911f68f22d4c6e051441510d3b79
                                                              • Instruction Fuzzy Hash: 85E07E75D0020CEFCB40EFE4D9458DDBBB9EB48200F1082AAE81AE3200EB316B559B80
                                                              Function 058B4251 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65770b2ead528a1bbd8e12f1ef6274b8fce31b0b199dd00d5077e15e75aba0cf
                                                              • Instruction ID: 8b520e135f848b44a76143680d8dd54e67f60111b4a7f9aa77e588310b0c8d7a
                                                              • Opcode Fuzzy Hash: 65770b2ead528a1bbd8e12f1ef6274b8fce31b0b199dd00d5077e15e75aba0cf
                                                              • Instruction Fuzzy Hash: A1E012356101149FC7049F68E41ADA97BE9EF49710F148066FD06C7321CF71AC018FD5
                                                              Function 058B10E8 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87bed6fe45d49e74a0f63961a1faed5fc6868b91227b776425d11e305d20c1fe
                                                              • Instruction ID: 22acaa783c55ddf0ff4a889d859b6f2d2d8c7c1a075405bc1793d21f06fa0581
                                                              • Opcode Fuzzy Hash: 87bed6fe45d49e74a0f63961a1faed5fc6868b91227b776425d11e305d20c1fe
                                                              • Instruction Fuzzy Hash: FFD022323111245BD714FBE9B809FA637ECFB045A1F00103BF80AC3200EBA0480387D9
                                                              Function 058B4260 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b23a52708d5b6dcba0982295ff2cbcbe4e84dbe4cf14504a530b05715099513
                                                              • Instruction ID: a60f3efd8bfab78db554185f8ff2caa6be1bfac8b3467ba8a6c29a506cf27c1c
                                                              • Opcode Fuzzy Hash: 0b23a52708d5b6dcba0982295ff2cbcbe4e84dbe4cf14504a530b05715099513
                                                              • Instruction Fuzzy Hash: 99D0C9363101249F87049B68E418CAABBE9EB4D6617158066FD09C7321CE71EC108FD4
                                                              Function 058B0B10 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                                              • Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
                                                              • Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                                              • Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90
                                                              Function 058B1200 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c3df887128e9b7e8a770a8e2b33888df9ee2250a23ec7d62c4ca3fcb233ab73
                                                              • Instruction ID: 33dd48bb85c8210aa6363eed4db1dfc4795031fb6d9fee23fd490cd6e61fdcf5
                                                              • Opcode Fuzzy Hash: 0c3df887128e9b7e8a770a8e2b33888df9ee2250a23ec7d62c4ca3fcb233ab73
                                                              • Instruction Fuzzy Hash: E0B0120DA3071040D704EB3168813663723FFC0200F84E92DFC0089120DF38110B535F

                                                              Non-executed Functions

                                                              Function 091D2080 Relevance: .5, Instructions: 501COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1708551494.00000000091D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_91d0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85aae12c93b0174af9cee139aba07aad8dd85869a049b32403b38455b149bfb2
                                                              • Instruction ID: ef0bfde527b1dc34def93ca3984e80567e2d39e3ec2cc383eb952298e5162a05
                                                              • Opcode Fuzzy Hash: 85aae12c93b0174af9cee139aba07aad8dd85869a049b32403b38455b149bfb2
                                                              • Instruction Fuzzy Hash: F2324970E10219CFDB15EF74C854BA8B7B2FF89304F1586EAD4096B261EB31A985CF51
                                                              Function 07B09948 Relevance: .4, Instructions: 352COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a4ed1c471d1bab1bd35b2e73cdbc2024e38132b760c1d5b5e059b9c30019f4d
                                                              • Instruction ID: 392377dc5858eff0ea8a277c8c9c58fa86de8d691e81016dff26027015762a86
                                                              • Opcode Fuzzy Hash: 4a4ed1c471d1bab1bd35b2e73cdbc2024e38132b760c1d5b5e059b9c30019f4d
                                                              • Instruction Fuzzy Hash: 7ED19BF07017419FEB29DB75C4507AABBE7AF89200F1884ADD146CB2E5DB34E901CB91
                                                              Function 07B036E8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aae14d7ed3bc61d9b882c2b97c80c96ee7635dcdfb76babb94c96bbe587987a5
                                                              • Instruction ID: 130f7b2fd66c775e557d729db350d65cab131ff796c08d749f61ce105cfc0d94
                                                              • Opcode Fuzzy Hash: aae14d7ed3bc61d9b882c2b97c80c96ee7635dcdfb76babb94c96bbe587987a5
                                                              • Instruction Fuzzy Hash: 38E1F9B4E041198FDB14DFA9C584AAEBBF2FF89304F2491A9D414AB355D731AD81CFA0
                                                              Function 07B01538 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f26c9b2d2c935cfb3a300a6c62dc2359e7ed510450a1f3b5dcf6fe032b063f99
                                                              • Instruction ID: 353ef7b758974405f81396b908948ad32cdafce9e80ba5213c6d05cd39de588d
                                                              • Opcode Fuzzy Hash: f26c9b2d2c935cfb3a300a6c62dc2359e7ed510450a1f3b5dcf6fe032b063f99
                                                              • Instruction Fuzzy Hash: 58E1FAB4E002198FDB14DFA9C5849AEFBB2FF89304F249159D414AB355D731AD82CFA1
                                                              Function 07B02D38 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 31559e199c7cf06cd50282a67d572085f9c5fc4951967d1e7027f680a90a1caf
                                                              • Instruction ID: 435f90273ba644c2a82e8f566fb7953a250f64e6c8dcf239bb110cfdc2a48c96
                                                              • Opcode Fuzzy Hash: 31559e199c7cf06cd50282a67d572085f9c5fc4951967d1e7027f680a90a1caf
                                                              • Instruction Fuzzy Hash: FEE1D5B4E011198FDB14DFA9C5849AEBBF2FF89304F249169D814AB355D731AD82CFA0
                                                              Function 07B00CC8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fa79b8204bacaa2eeef976d9cf3a7a12159d218156527a32496fe6d86a5c822
                                                              • Instruction ID: c6470dcaddcd062adddb27e0290af97a43b1cbe187125021e7cb2f69d600c5d3
                                                              • Opcode Fuzzy Hash: 9fa79b8204bacaa2eeef976d9cf3a7a12159d218156527a32496fe6d86a5c822
                                                              • Instruction Fuzzy Hash: DBE10CB4E001598FDB14DFA9C580AAEFBB2FF89304F249169D814AB355D731AD81CFA1
                                                              Function 07B01100 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5015743ecf93366fa007328483d70d0a7302c4d294548f9c3c54ff84b14cfa0d
                                                              • Instruction ID: 504efa1c249dba10ea4fba2406caca9e86496b591f02f322a9eedd65a24fe1bc
                                                              • Opcode Fuzzy Hash: 5015743ecf93366fa007328483d70d0a7302c4d294548f9c3c54ff84b14cfa0d
                                                              • Instruction Fuzzy Hash: 9DE1F9B4E001198FDB14DFA9C5809AEFBB6FF89304F249169D815AB355D731AD82CFA0
                                                              Function 0161EF24 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696538875.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1610000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4ac8d2a742160d704793887f9113c9b270406a5a230a04afcdb939c15c6c1f5
                                                              • Instruction ID: f0b023c29647d13f41cde6593c67a888248f814990670670630fe9fca8e42a47
                                                              • Opcode Fuzzy Hash: d4ac8d2a742160d704793887f9113c9b270406a5a230a04afcdb939c15c6c1f5
                                                              • Instruction Fuzzy Hash: 60A16432E002158FCF1ADFB9CC4459EBBB2FF85300B1945A9ED06AB269DB31E955CB40
                                                              Function 091DB3F0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1708551494.00000000091D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_91d0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d5062c9d891c457c9a6c722eb479db24e4131e8bf67fee434782bc5d2e2c0ec
                                                              • Instruction ID: 8fe19dbecc415e6fd481870056b2509c87648d97744a795a132cf12f6ec636ce
                                                              • Opcode Fuzzy Hash: 8d5062c9d891c457c9a6c722eb479db24e4131e8bf67fee434782bc5d2e2c0ec
                                                              • Instruction Fuzzy Hash: 15D11635C2075ADACB11EB64D9906E9B7B1FFD9300F50979AE1493B220EF716AC4CB81
                                                              Function 07B02D28 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a3b5856da0b5279a88068f4d2df4c94b94ea841dac489d13d2f6e9b84c0067b
                                                              • Instruction ID: edd4be513d7decc691b9ea04bd48a6cb60cc399393d964ec73acae6d15a89a20
                                                              • Opcode Fuzzy Hash: 3a3b5856da0b5279a88068f4d2df4c94b94ea841dac489d13d2f6e9b84c0067b
                                                              • Instruction Fuzzy Hash: 2B512CB4E002198BDB14CFA9C5845EEFBF6FF89300F24816AD408A7355D7319A46CFA0
                                                              Function 07B036D7 Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fec26c58fb55d25a46b4dea1415e7f6b375611eeddd7e7a93d248a6abc00b019
                                                              • Instruction ID: 03f7b4db112772a504d9ce8859d6697192e19a3d3699b51c375c08a84dad99e7
                                                              • Opcode Fuzzy Hash: fec26c58fb55d25a46b4dea1415e7f6b375611eeddd7e7a93d248a6abc00b019
                                                              • Instruction Fuzzy Hash: 0F512AB4E042198FDB14CFA9C5845AEFBF2FF89304F2481AAD418AB255D7319942CFA1
                                                              Function 07B010F1 Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707524302.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7b00000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4eeab6e0a308debfec598a75f42d346e9d5930cca43e94f032d9474e7a45bb9d
                                                              • Instruction ID: 4bce82f314fda57f8b6ed30f855b9e85e1401090831df21ca667bf304f480949
                                                              • Opcode Fuzzy Hash: 4eeab6e0a308debfec598a75f42d346e9d5930cca43e94f032d9474e7a45bb9d
                                                              • Instruction Fuzzy Hash: 11510CB4E052198FDB18CFA9C5405AEFBF6FF89304F2481A9D418A7356D7319A41CFA1
                                                              Function 07D747A0 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1707751364.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7d70000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cdcdb9c86f6e3135ec7f1b47daca0af1651c8639d97ebba41413653bf706b74
                                                              • Instruction ID: 508dd431ab7f0bbf742ccfeb2e1ed65efb02481893528ae7d2f07d62d112f324
                                                              • Opcode Fuzzy Hash: 1cdcdb9c86f6e3135ec7f1b47daca0af1651c8639d97ebba41413653bf706b74
                                                              • Instruction Fuzzy Hash: 4331DCB1D02229DFCB05CFA8C554AEEBBB2BF89311F109469D410B7250DB359A84CFA4
                                                              Function 058B4D49 Relevance: 41.7, Strings: 33, Instructions: 437COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                              • API String ID: 0-3006135790
                                                              • Opcode ID: e997811fc6908cf4ef9cb78cdfa63a88f6513b3dd78fdecddce3f63aa07a95cf
                                                              • Instruction ID: c7654ec2a1ce5dea5b2177f01a850fab0baaaf303a7b555ab3b0adf3c0fbf987
                                                              • Opcode Fuzzy Hash: e997811fc6908cf4ef9cb78cdfa63a88f6513b3dd78fdecddce3f63aa07a95cf
                                                              • Instruction Fuzzy Hash: 03121A70A0420A9FCB58EF64EE90A9EBBB2FF94300F5055ADD009AB265DF752D44CF91
                                                              Function 058B4D58 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1705154227.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_58b0000_RqYh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq
                                                              • API String ID: 0-3006135790
                                                              • Opcode ID: b359135896412c55301a473823a39ed8398e695dea5e4987e4572b976e60dc9d
                                                              • Instruction ID: d416cc7541e224f2fbafe7a8247bec9da0549e396ba45360b4f10932658db3e8
                                                              • Opcode Fuzzy Hash: b359135896412c55301a473823a39ed8398e695dea5e4987e4572b976e60dc9d
                                                              • Instruction Fuzzy Hash: A0121970A0420A9FCB58EF74EE90A9EBBB2FF94300F5055AD9009AB265DF752D44CF91

                                                              Execution Graph

                                                              Execution Coverage:2.2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:2%
                                                              Total number of Nodes:791
                                                              Total number of Limit Nodes:17
                                                              execution_graph 46474 434918 46475 434924 CallCatchBlock 46474->46475 46501 434627 46475->46501 46477 43492b 46479 434954 46477->46479 46789 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46477->46789 46480 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46479->46480 46790 4442d2 5 API calls TranslatorGuardHandler 46479->46790 46485 4349f3 46480->46485 46792 443487 35 API calls 5 library calls 46480->46792 46482 43496d 46483 434973 CallCatchBlock 46482->46483 46791 444276 5 API calls TranslatorGuardHandler 46482->46791 46512 434ba5 46485->46512 46494 434a15 46495 434a1f 46494->46495 46794 4434bf 28 API calls _abort 46494->46794 46497 434a28 46495->46497 46795 443462 28 API calls _abort 46495->46795 46796 43479e 13 API calls 2 library calls 46497->46796 46500 434a30 46500->46483 46502 434630 46501->46502 46797 434cb6 IsProcessorFeaturePresent 46502->46797 46504 43463c 46798 438fb1 10 API calls 4 library calls 46504->46798 46506 434641 46511 434645 46506->46511 46799 44415f 46506->46799 46509 43465c 46509->46477 46511->46477 46858 436f10 46512->46858 46515 4349f9 46516 444223 46515->46516 46860 44f0d9 46516->46860 46518 44422c 46519 434a02 46518->46519 46864 446895 35 API calls 46518->46864 46521 40ea00 46519->46521 46866 41cbe1 LoadLibraryA GetProcAddress 46521->46866 46523 40ea1c GetModuleFileNameW 46871 40f3fe 46523->46871 46525 40ea38 46886 4020f6 46525->46886 46528 4020f6 28 API calls 46529 40ea56 46528->46529 46892 41beac 46529->46892 46533 40ea68 46918 401e8d 46533->46918 46535 40ea71 46536 40ea84 46535->46536 46537 40eace 46535->46537 47122 40fbee 95 API calls 46536->47122 46924 401e65 46537->46924 46540 40eade 46544 401e65 22 API calls 46540->46544 46541 40ea96 46542 401e65 22 API calls 46541->46542 46543 40eaa2 46542->46543 47123 410f72 36 API calls __EH_prolog 46543->47123 46545 40eafd 46544->46545 46929 40531e 46545->46929 46548 40eb0c 46934 406383 46548->46934 46549 40eab4 47124 40fb9f 77 API calls 46549->47124 46552 40eabd 47125 40f3eb 70 API calls 46552->47125 46559 401fd8 11 API calls 46561 40ef36 46559->46561 46560 401fd8 11 API calls 46562 40eb36 46560->46562 46793 443396 GetModuleHandleW 46561->46793 46563 401e65 22 API calls 46562->46563 46564 40eb3f 46563->46564 46951 401fc0 46564->46951 46566 40eb4a 46567 401e65 22 API calls 46566->46567 46568 40eb63 46567->46568 46569 401e65 22 API calls 46568->46569 46570 40eb7e 46569->46570 46571 40ebe9 46570->46571 47126 406c59 28 API calls 46570->47126 46573 401e65 22 API calls 46571->46573 46577 40ebf6 46573->46577 46574 40ebab 46575 401fe2 28 API calls 46574->46575 46576 40ebb7 46575->46576 46578 401fd8 11 API calls 46576->46578 46582 413584 3 API calls 46577->46582 46595 40ec3d 46577->46595 46579 40ebc0 46578->46579 47127 413584 RegOpenKeyExA 46579->47127 46581 40eac6 46581->46559 46589 40ec21 46582->46589 46583 40ec43 46583->46581 46958 41b354 46583->46958 46587 40ec5e 46590 40ecb1 46587->46590 46975 407751 46587->46975 46588 40f38a 47164 4139e4 30 API calls 46588->47164 46589->46595 47130 4139e4 30 API calls 46589->47130 46593 401e65 22 API calls 46590->46593 46597 40ecba 46593->46597 46955 40d0a4 46595->46955 46596 40f3a0 47165 4124b0 65 API calls ___scrt_get_show_window_mode 46596->47165 46605 40ecc6 46597->46605 46606 40eccb 46597->46606 46600 40ec87 46602 401e65 22 API calls 46600->46602 46601 40ec7d 47131 407773 30 API calls 46601->47131 46615 40ec90 46602->46615 46603 40f388 46608 41bcef 28 API calls 46603->46608 47134 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46605->47134 46611 401e65 22 API calls 46606->46611 46607 40ec82 47132 40729b 97 API calls 46607->47132 46612 40f3ba 46608->46612 46613 40ecd4 46611->46613 47166 413a5e RegOpenKeyExW RegDeleteValueW 46612->47166 46979 41bcef 46613->46979 46615->46590 46619 40ecac 46615->46619 46616 40ecdf 46983 401f13 46616->46983 47133 40729b 97 API calls 46619->47133 46620 40f3cd 46623 401f09 11 API calls 46620->46623 46625 40f3d7 46623->46625 46627 401f09 11 API calls 46625->46627 46629 40f3e0 46627->46629 46628 401e65 22 API calls 46631 40ecfc 46628->46631 47167 40dd7d 27 API calls 46629->47167 46635 401e65 22 API calls 46631->46635 46632 40f3e5 47168 414f65 167 API calls 46632->47168 46636 40ed16 46635->46636 46637 401e65 22 API calls 46636->46637 46638 40ed30 46637->46638 46639 401e65 22 API calls 46638->46639 46640 40ed49 46639->46640 46641 40edb6 46640->46641 46643 401e65 22 API calls 46640->46643 46642 40edc5 46641->46642 46648 40ef41 ___scrt_get_show_window_mode 46641->46648 46644 401e65 22 API calls 46642->46644 46649 40ee4a 46642->46649 46646 40ed5e _wcslen 46643->46646 46645 40edd7 46644->46645 46647 401e65 22 API calls 46645->46647 46646->46641 46650 401e65 22 API calls 46646->46650 46651 40ede9 46647->46651 47137 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 46648->47137 46672 40ee45 ___scrt_get_show_window_mode 46649->46672 46652 40ed79 46650->46652 46654 401e65 22 API calls 46651->46654 46655 401e65 22 API calls 46652->46655 46656 40edfb 46654->46656 46657 40ed8e 46655->46657 46659 401e65 22 API calls 46656->46659 46995 40da6f 46657->46995 46658 40ef8c 46660 401e65 22 API calls 46658->46660 46661 40ee24 46659->46661 46662 40efb1 46660->46662 46666 401e65 22 API calls 46661->46666 47138 402093 46662->47138 46665 401f13 28 API calls 46668 40edad 46665->46668 46669 40ee35 46666->46669 46671 401f09 11 API calls 46668->46671 47053 40ce34 46669->47053 46670 40efc3 47144 4137aa 14 API calls 46670->47144 46671->46641 46672->46649 47135 413982 31 API calls 46672->47135 46676 40eede ctype 46680 401e65 22 API calls 46676->46680 46677 40efd9 46678 401e65 22 API calls 46677->46678 46679 40efe5 46678->46679 47145 43bb2c 39 API calls _swprintf 46679->47145 46683 40eef5 46680->46683 46682 40eff2 46684 40f01f 46682->46684 47146 41ce2c 86 API calls ___scrt_get_show_window_mode 46682->47146 46683->46658 46685 401e65 22 API calls 46683->46685 46689 402093 28 API calls 46684->46689 46687 40ef12 46685->46687 46690 41bcef 28 API calls 46687->46690 46688 40f003 CreateThread 46688->46684 47459 41d4ee 10 API calls 46688->47459 46691 40f034 46689->46691 46692 40ef1e 46690->46692 46693 402093 28 API calls 46691->46693 47136 40f4af 103 API calls 46692->47136 46696 40f043 46693->46696 46695 40ef23 46695->46658 46698 40ef2a 46695->46698 47147 41b580 79 API calls 46696->47147 46698->46581 46699 40f048 46700 401e65 22 API calls 46699->46700 46701 40f054 46700->46701 46702 401e65 22 API calls 46701->46702 46703 40f066 46702->46703 46704 401e65 22 API calls 46703->46704 46705 40f086 46704->46705 47148 43bb2c 39 API calls _swprintf 46705->47148 46707 40f093 46708 401e65 22 API calls 46707->46708 46709 40f09e 46708->46709 46710 401e65 22 API calls 46709->46710 46711 40f0af 46710->46711 46712 401e65 22 API calls 46711->46712 46713 40f0c4 46712->46713 46714 401e65 22 API calls 46713->46714 46715 40f0d5 46714->46715 46716 40f0dc StrToIntA 46715->46716 47149 409e1f 169 API calls _wcslen 46716->47149 46718 40f0ee 46719 401e65 22 API calls 46718->46719 46720 40f0f7 46719->46720 46721 40f13c 46720->46721 47150 43455e 46720->47150 46724 401e65 22 API calls 46721->46724 46728 40f14c 46724->46728 46725 401e65 22 API calls 46726 40f11f 46725->46726 46729 40f126 CreateThread 46726->46729 46727 40f194 46731 401e65 22 API calls 46727->46731 46728->46727 46730 43455e new 22 API calls 46728->46730 46729->46721 47463 41a045 102 API calls __EH_prolog 46729->47463 46732 40f161 46730->46732 46736 40f19d 46731->46736 46733 401e65 22 API calls 46732->46733 46734 40f173 46733->46734 46738 40f17a CreateThread 46734->46738 46735 40f207 46739 401e65 22 API calls 46735->46739 46736->46735 46737 401e65 22 API calls 46736->46737 46740 40f1b9 46737->46740 46738->46727 47460 41a045 102 API calls __EH_prolog 46738->47460 46742 40f210 46739->46742 46743 401e65 22 API calls 46740->46743 46741 40f255 47160 41b69e 79 API calls 46741->47160 46742->46741 46745 401e65 22 API calls 46742->46745 46746 40f1ce 46743->46746 46748 40f225 46745->46748 47157 40da23 31 API calls 46746->47157 46747 40f25e 46749 401f13 28 API calls 46747->46749 46753 401e65 22 API calls 46748->46753 46750 40f269 46749->46750 46752 401f09 11 API calls 46750->46752 46755 40f272 CreateThread 46752->46755 46756 40f23a 46753->46756 46754 40f1e1 46757 401f13 28 API calls 46754->46757 46760 40f293 CreateThread 46755->46760 46761 40f29f 46755->46761 47461 40f7e2 120 API calls 46755->47461 47158 43bb2c 39 API calls _swprintf 46756->47158 46759 40f1ed 46757->46759 46762 401f09 11 API calls 46759->46762 46760->46761 47462 412132 137 API calls 46760->47462 46763 40f2b4 46761->46763 46764 40f2a8 CreateThread 46761->46764 46766 40f1f6 CreateThread 46762->46766 46768 40f307 46763->46768 46770 402093 28 API calls 46763->46770 46764->46763 47464 412716 38 API calls ___scrt_get_show_window_mode 46764->47464 46766->46735 47465 401be9 49 API calls 46766->47465 46767 40f247 47159 40c19d 7 API calls 46767->47159 47162 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 46768->47162 46771 40f2d7 46770->46771 47161 4052fd 28 API calls 46771->47161 46775 40f31f 46775->46629 46777 41bcef 28 API calls 46775->46777 46779 40f338 46777->46779 47163 413656 31 API calls 46779->47163 46784 40f34e 46785 401f09 11 API calls 46784->46785 46787 40f359 46785->46787 46786 40f381 DeleteFileW 46786->46603 46786->46787 46787->46603 46787->46786 46788 40f36f Sleep 46787->46788 46788->46787 46789->46477 46790->46482 46791->46480 46792->46485 46793->46494 46794->46495 46795->46497 46796->46500 46797->46504 46798->46506 46803 44fbe8 46799->46803 46802 438fda 8 API calls 3 library calls 46802->46511 46806 44fc05 46803->46806 46807 44fc01 46803->46807 46805 43464e 46805->46509 46805->46802 46806->46807 46809 449d26 46806->46809 46821 43502b 5 API calls ___raise_securityfailure 46807->46821 46810 449d32 CallCatchBlock 46809->46810 46822 445909 EnterCriticalSection 46810->46822 46812 449d39 46823 450203 46812->46823 46814 449d48 46820 449d57 46814->46820 46834 449bba 23 API calls 46814->46834 46817 449d52 46835 449c70 GetStdHandle GetFileType 46817->46835 46819 449d68 CallCatchBlock 46819->46806 46836 449d73 LeaveCriticalSection std::_Lockit::~_Lockit 46820->46836 46821->46805 46822->46812 46824 45020f CallCatchBlock 46823->46824 46825 450233 46824->46825 46826 45021c 46824->46826 46837 445909 EnterCriticalSection 46825->46837 46845 44062d 20 API calls __dosmaperr 46826->46845 46829 450221 __cftoe CallCatchBlock 46829->46814 46830 45023f 46833 45026b 46830->46833 46838 450154 46830->46838 46846 450292 LeaveCriticalSection std::_Lockit::~_Lockit 46833->46846 46834->46817 46835->46820 46836->46819 46837->46830 46847 445b74 46838->46847 46840 450166 46844 450173 46840->46844 46854 448b04 11 API calls 2 library calls 46840->46854 46843 4501c5 46843->46830 46855 446802 20 API calls __dosmaperr 46844->46855 46845->46829 46846->46829 46853 445b81 ___crtLCMapStringA 46847->46853 46848 445bc1 46857 44062d 20 API calls __dosmaperr 46848->46857 46849 445bac RtlAllocateHeap 46851 445bbf 46849->46851 46849->46853 46851->46840 46853->46848 46853->46849 46856 443001 7 API calls 2 library calls 46853->46856 46854->46840 46855->46843 46856->46853 46857->46851 46859 434bb8 GetStartupInfoW 46858->46859 46859->46515 46861 44f0eb 46860->46861 46862 44f0e2 46860->46862 46861->46518 46865 44efd8 48 API calls 5 library calls 46862->46865 46864->46518 46865->46861 46867 41cc20 LoadLibraryA GetProcAddress 46866->46867 46868 41cc10 GetModuleHandleA GetProcAddress 46866->46868 46869 41cc49 44 API calls 46867->46869 46870 41cc39 LoadLibraryA GetProcAddress 46867->46870 46868->46867 46869->46523 46870->46869 47169 41b539 FindResourceA 46871->47169 46875 40f428 _Yarn 47179 4020b7 46875->47179 46878 401fe2 28 API calls 46879 40f44e 46878->46879 46880 401fd8 11 API calls 46879->46880 46881 40f457 46880->46881 46882 43bda0 ___std_exception_copy 21 API calls 46881->46882 46883 40f468 _Yarn 46882->46883 47185 406e13 46883->47185 46885 40f49b 46885->46525 46887 40210c 46886->46887 46888 4023ce 11 API calls 46887->46888 46889 402126 46888->46889 46890 402569 28 API calls 46889->46890 46891 402134 46890->46891 46891->46528 47222 4020df 46892->47222 46894 41bf2f 46895 401fd8 11 API calls 46894->46895 46896 41bf61 46895->46896 46898 401fd8 11 API calls 46896->46898 46897 41bf31 47238 4041a2 28 API calls 46897->47238 46899 41bf69 46898->46899 46902 401fd8 11 API calls 46899->46902 46904 40ea5f 46902->46904 46903 41bf3d 46905 401fe2 28 API calls 46903->46905 46914 40fb52 46904->46914 46907 41bf46 46905->46907 46906 401fe2 28 API calls 46913 41bebf 46906->46913 46908 401fd8 11 API calls 46907->46908 46910 41bf4e 46908->46910 46909 401fd8 11 API calls 46909->46913 46911 41cec5 28 API calls 46910->46911 46911->46894 46913->46894 46913->46897 46913->46906 46913->46909 47226 4041a2 28 API calls 46913->47226 47227 41cec5 46913->47227 46915 40fb5e 46914->46915 46917 40fb65 46914->46917 47264 402163 11 API calls 46915->47264 46917->46533 46919 402163 46918->46919 46923 40219f 46919->46923 47265 402730 11 API calls 46919->47265 46921 402184 47266 402712 11 API calls std::_Deallocate 46921->47266 46923->46535 46925 401e6d 46924->46925 46927 401e75 46925->46927 47267 402158 22 API calls 46925->47267 46927->46540 46930 4020df 11 API calls 46929->46930 46931 40532a 46930->46931 47268 4032a0 46931->47268 46933 405346 46933->46548 47273 4051ef 46934->47273 46936 406391 47277 402055 46936->47277 46939 401fe2 46940 401ff1 46939->46940 46941 402039 46939->46941 46942 4023ce 11 API calls 46940->46942 46948 401fd8 46941->46948 46943 401ffa 46942->46943 46944 40203c 46943->46944 46945 402015 46943->46945 46946 40267a 11 API calls 46944->46946 47292 403098 28 API calls 46945->47292 46946->46941 46949 4023ce 11 API calls 46948->46949 46950 401fe1 46949->46950 46950->46560 46952 401fd2 46951->46952 46953 401fc9 46951->46953 46952->46566 47293 4025e0 28 API calls 46953->47293 47294 401fab 46955->47294 46957 40d0ae CreateMutexA GetLastError 46957->46583 47295 41c048 46958->47295 46963 401fe2 28 API calls 46964 41b390 46963->46964 46965 401fd8 11 API calls 46964->46965 46966 41b398 46965->46966 46967 4135e1 31 API calls 46966->46967 46969 41b3ee 46966->46969 46968 41b3c1 46967->46968 46970 41b3cc StrToIntA 46968->46970 46969->46587 46971 41b3da 46970->46971 46974 41b3e3 46970->46974 47303 41cffa 22 API calls 46971->47303 46973 401fd8 11 API calls 46973->46969 46974->46973 46976 407765 46975->46976 46977 413584 3 API calls 46976->46977 46978 40776c 46977->46978 46978->46600 46978->46601 46980 41bd03 46979->46980 47304 40b93f 46980->47304 46982 41bd0b 46982->46616 46984 401f22 46983->46984 46985 401f6a 46983->46985 46986 402252 11 API calls 46984->46986 46992 401f09 46985->46992 46987 401f2b 46986->46987 46988 401f6d 46987->46988 46989 401f46 46987->46989 47337 402336 46988->47337 47336 40305c 28 API calls 46989->47336 46993 402252 11 API calls 46992->46993 46994 401f12 46993->46994 46994->46628 47341 401f86 46995->47341 46998 40dae0 47002 41c048 GetCurrentProcess 46998->47002 46999 40daab 47351 41b645 29 API calls 46999->47351 47000 40dbd4 GetLongPathNameW 47345 40417e 47000->47345 47001 40daa1 47001->47000 47005 40dae5 47002->47005 47008 40dae9 47005->47008 47009 40db3b 47005->47009 47006 40dab4 47010 401f13 28 API calls 47006->47010 47013 40417e 28 API calls 47008->47013 47012 40417e 28 API calls 47009->47012 47014 40dabe 47010->47014 47011 40417e 28 API calls 47015 40dbf8 47011->47015 47016 40db49 47012->47016 47017 40daf7 47013->47017 47018 401f09 11 API calls 47014->47018 47354 40de0c 28 API calls 47015->47354 47022 40417e 28 API calls 47016->47022 47023 40417e 28 API calls 47017->47023 47018->47001 47020 40dc0b 47355 402fa5 28 API calls 47020->47355 47025 40db5f 47022->47025 47026 40db0d 47023->47026 47024 40dc16 47356 402fa5 28 API calls 47024->47356 47353 402fa5 28 API calls 47025->47353 47352 402fa5 28 API calls 47026->47352 47030 40dc20 47034 401f09 11 API calls 47030->47034 47031 40db6a 47035 401f13 28 API calls 47031->47035 47032 40db18 47033 401f13 28 API calls 47032->47033 47037 40db23 47033->47037 47038 40dc2a 47034->47038 47036 40db75 47035->47036 47039 401f09 11 API calls 47036->47039 47040 401f09 11 API calls 47037->47040 47041 401f09 11 API calls 47038->47041 47043 40db7e 47039->47043 47044 40db2c 47040->47044 47042 40dc33 47041->47042 47045 401f09 11 API calls 47042->47045 47046 401f09 11 API calls 47043->47046 47047 401f09 11 API calls 47044->47047 47048 40dc3c 47045->47048 47046->47014 47047->47014 47049 401f09 11 API calls 47048->47049 47050 40dc45 47049->47050 47051 401f09 11 API calls 47050->47051 47052 40dc4e 47051->47052 47052->46665 47054 40ce47 _wcslen 47053->47054 47055 40ce51 47054->47055 47056 40ce9b 47054->47056 47058 40ce5a CreateDirectoryW 47055->47058 47057 40da6f 31 API calls 47056->47057 47059 40cead 47057->47059 47358 409196 47058->47358 47061 401f13 28 API calls 47059->47061 47062 40ce99 47061->47062 47064 401f09 11 API calls 47062->47064 47063 40ce76 47392 403014 47063->47392 47069 40cec4 47064->47069 47067 401f13 28 API calls 47068 40ce90 47067->47068 47070 401f09 11 API calls 47068->47070 47071 40cefa 47069->47071 47072 40cedd 47069->47072 47070->47062 47073 40cf03 CopyFileW 47071->47073 47075 40cd48 31 API calls 47072->47075 47074 40cfd4 47073->47074 47077 40cf15 _wcslen 47073->47077 47365 40cd48 47074->47365 47076 40ceee 47075->47076 47076->46672 47077->47074 47079 40cf31 47077->47079 47080 40cf84 47077->47080 47083 40da6f 31 API calls 47079->47083 47082 40da6f 31 API calls 47080->47082 47081 40cfe5 47084 40d01a 47081->47084 47091 40cff7 SetFileAttributesW 47081->47091 47086 40cf8a 47082->47086 47087 40cf37 47083->47087 47085 40d062 CloseHandle 47084->47085 47088 40417e 28 API calls 47084->47088 47391 401f04 47085->47391 47089 401f13 28 API calls 47086->47089 47090 401f13 28 API calls 47087->47090 47093 40d030 47088->47093 47097 40cf7e 47089->47097 47094 40cf43 47090->47094 47107 40d006 _wcslen 47091->47107 47096 41bcef 28 API calls 47093->47096 47098 401f09 11 API calls 47094->47098 47095 40d07e ShellExecuteW 47099 40d091 47095->47099 47100 40d09b ExitProcess 47095->47100 47101 40d043 47096->47101 47102 401f09 11 API calls 47097->47102 47103 40cf4c 47098->47103 47104 40d0a4 CreateMutexA GetLastError 47099->47104 47398 41384f RegCreateKeyW 47101->47398 47105 40cf9c 47102->47105 47106 409196 28 API calls 47103->47106 47104->47076 47111 40cfa8 CreateDirectoryW 47105->47111 47108 40cf60 47106->47108 47107->47084 47109 40d017 SetFileAttributesW 47107->47109 47112 403014 28 API calls 47108->47112 47109->47084 47397 401f04 47111->47397 47115 40cf6c 47112->47115 47118 401f13 28 API calls 47115->47118 47116 401f09 11 API calls 47116->47085 47119 40cf75 47118->47119 47121 401f09 11 API calls 47119->47121 47121->47097 47122->46541 47123->46549 47124->46552 47126->46574 47128 40ebdf 47127->47128 47129 4135ae RegQueryValueExA RegCloseKey 47127->47129 47128->46571 47128->46588 47129->47128 47130->46595 47131->46607 47132->46600 47133->46590 47134->46606 47135->46676 47136->46695 47137->46658 47139 40209b 47138->47139 47140 4023ce 11 API calls 47139->47140 47141 4020a6 47140->47141 47451 4024ed 47141->47451 47144->46677 47145->46682 47146->46688 47147->46699 47148->46707 47149->46718 47152 434563 47150->47152 47151 43bda0 ___std_exception_copy 21 API calls 47151->47152 47152->47151 47153 40f10c 47152->47153 47455 443001 7 API calls 2 library calls 47152->47455 47456 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47152->47456 47457 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47152->47457 47153->46725 47157->46754 47158->46767 47159->46741 47160->46747 47162->46775 47163->46784 47164->46596 47166->46620 47167->46632 47458 41ada8 104 API calls 47168->47458 47170 41b556 LoadResource LockResource SizeofResource 47169->47170 47171 40f419 47169->47171 47170->47171 47172 43bda0 47171->47172 47177 4461b8 ___crtLCMapStringA 47172->47177 47173 4461f6 47189 44062d 20 API calls __dosmaperr 47173->47189 47174 4461e1 RtlAllocateHeap 47176 4461f4 47174->47176 47174->47177 47176->46875 47177->47173 47177->47174 47188 443001 7 API calls 2 library calls 47177->47188 47180 4020bf 47179->47180 47190 4023ce 47180->47190 47182 4020ca 47194 40250a 47182->47194 47184 4020d9 47184->46878 47186 4020b7 28 API calls 47185->47186 47187 406e27 47186->47187 47187->46885 47188->47177 47189->47176 47191 402428 47190->47191 47192 4023d8 47190->47192 47191->47182 47192->47191 47201 4027a7 11 API calls std::_Deallocate 47192->47201 47195 40251a 47194->47195 47196 402520 47195->47196 47197 402535 47195->47197 47202 402569 47196->47202 47212 4028e8 28 API calls 47197->47212 47200 402533 47200->47184 47201->47191 47213 402888 47202->47213 47204 40257d 47205 402592 47204->47205 47206 4025a7 47204->47206 47218 402a34 22 API calls 47205->47218 47220 4028e8 28 API calls 47206->47220 47209 40259b 47219 4029da 22 API calls 47209->47219 47211 4025a5 47211->47200 47212->47200 47214 402890 47213->47214 47215 402898 47214->47215 47221 402ca3 22 API calls 47214->47221 47215->47204 47218->47209 47219->47211 47220->47211 47223 4020e7 47222->47223 47224 4023ce 11 API calls 47223->47224 47225 4020f2 47224->47225 47225->46913 47226->46913 47228 41ced2 47227->47228 47229 41cf31 47228->47229 47233 41cee2 47228->47233 47230 41cf4b 47229->47230 47231 41d071 28 API calls 47229->47231 47248 41d1d7 28 API calls 47230->47248 47231->47230 47234 41cf1a 47233->47234 47239 41d071 47233->47239 47247 41d1d7 28 API calls 47234->47247 47235 41cf2d 47235->46913 47238->46903 47241 41d079 47239->47241 47240 41d0ab 47240->47234 47241->47240 47242 41d0af 47241->47242 47245 41d093 47241->47245 47259 402725 22 API calls 47242->47259 47249 41d0e2 47245->47249 47247->47235 47248->47235 47250 41d0ec __EH_prolog 47249->47250 47260 402717 22 API calls 47250->47260 47252 41d0ff 47261 41d1ee 11 API calls 47252->47261 47254 41d125 47256 41d15d 47254->47256 47262 402730 11 API calls 47254->47262 47256->47240 47257 41d144 47263 402712 11 API calls std::_Deallocate 47257->47263 47260->47252 47261->47254 47262->47257 47263->47256 47264->46917 47265->46921 47266->46923 47270 4032aa 47268->47270 47269 4032c9 47269->46933 47270->47269 47272 4028e8 28 API calls 47270->47272 47272->47269 47274 4051fb 47273->47274 47283 405274 47274->47283 47276 405208 47276->46936 47278 402061 47277->47278 47279 4023ce 11 API calls 47278->47279 47280 40207b 47279->47280 47288 40267a 47280->47288 47284 405282 47283->47284 47287 4028a4 22 API calls 47284->47287 47289 40268b 47288->47289 47290 4023ce 11 API calls 47289->47290 47291 40208d 47290->47291 47291->46939 47292->46941 47293->46952 47296 41b362 47295->47296 47297 41c055 GetCurrentProcess 47295->47297 47298 4135e1 RegOpenKeyExA 47296->47298 47297->47296 47299 41360f RegQueryValueExA RegCloseKey 47298->47299 47300 413639 47298->47300 47299->47300 47301 402093 28 API calls 47300->47301 47302 41364e 47301->47302 47302->46963 47303->46974 47305 40b947 47304->47305 47310 402252 47305->47310 47307 40b952 47314 40b967 47307->47314 47309 40b961 47309->46982 47311 4022ac 47310->47311 47312 40225c 47310->47312 47311->47307 47312->47311 47321 402779 11 API calls std::_Deallocate 47312->47321 47315 40b9a1 47314->47315 47316 40b973 47314->47316 47333 4028a4 22 API calls 47315->47333 47322 4027e6 47316->47322 47320 40b97d 47320->47309 47321->47311 47323 4027ef 47322->47323 47324 402851 47323->47324 47325 4027f9 47323->47325 47335 4028a4 22 API calls 47324->47335 47328 402802 47325->47328 47330 402815 47325->47330 47334 402aea 28 API calls __EH_prolog 47328->47334 47331 402813 47330->47331 47332 402252 11 API calls 47330->47332 47331->47320 47332->47331 47334->47331 47336->46985 47338 402347 47337->47338 47339 402252 11 API calls 47338->47339 47340 4023c7 47339->47340 47340->46985 47342 401f8e 47341->47342 47343 402252 11 API calls 47342->47343 47344 401f99 47343->47344 47344->46998 47344->46999 47344->47001 47346 404186 47345->47346 47347 402252 11 API calls 47346->47347 47348 404191 47347->47348 47357 4041bc 28 API calls 47348->47357 47350 40419c 47350->47011 47351->47006 47352->47032 47353->47031 47354->47020 47355->47024 47356->47030 47357->47350 47359 401f86 11 API calls 47358->47359 47360 4091a2 47359->47360 47404 40314c 47360->47404 47362 4091bf 47408 40325d 47362->47408 47364 4091c7 47364->47063 47366 40cd6e 47365->47366 47369 40cdaa 47365->47369 47422 40b9b7 47366->47422 47368 40cdeb 47371 40ce2c 47368->47371 47374 40b9b7 28 API calls 47368->47374 47369->47368 47372 40b9b7 28 API calls 47369->47372 47371->47081 47375 40cdc1 47372->47375 47373 403014 28 API calls 47376 40cd8a 47373->47376 47377 40ce02 47374->47377 47378 403014 28 API calls 47375->47378 47379 41384f 14 API calls 47376->47379 47380 403014 28 API calls 47377->47380 47381 40cdcb 47378->47381 47382 40cd9e 47379->47382 47383 40ce0c 47380->47383 47384 41384f 14 API calls 47381->47384 47386 401f09 11 API calls 47382->47386 47387 41384f 14 API calls 47383->47387 47385 40cddf 47384->47385 47388 401f09 11 API calls 47385->47388 47386->47369 47389 40ce20 47387->47389 47388->47368 47390 401f09 11 API calls 47389->47390 47390->47371 47429 403222 47392->47429 47394 403022 47433 403262 47394->47433 47399 4138a1 47398->47399 47401 413864 47398->47401 47400 401f09 11 API calls 47399->47400 47402 40d056 47400->47402 47403 41387d RegSetValueExW RegCloseKey 47401->47403 47402->47116 47403->47399 47406 403156 47404->47406 47405 403175 47405->47362 47406->47405 47407 4027e6 28 API calls 47406->47407 47407->47405 47409 40323f 47408->47409 47412 4036a6 47409->47412 47411 40324c 47411->47364 47413 402888 22 API calls 47412->47413 47414 4036b9 47413->47414 47415 40372c 47414->47415 47416 4036de 47414->47416 47421 4028a4 22 API calls 47415->47421 47419 4027e6 28 API calls 47416->47419 47420 4036f0 47416->47420 47419->47420 47420->47411 47423 401f86 11 API calls 47422->47423 47424 40b9c3 47423->47424 47425 40314c 28 API calls 47424->47425 47426 40b9df 47425->47426 47427 40325d 28 API calls 47426->47427 47428 40b9f2 47427->47428 47428->47373 47430 40322e 47429->47430 47439 403618 47430->47439 47432 40323b 47432->47394 47434 40326e 47433->47434 47435 402252 11 API calls 47434->47435 47436 403288 47435->47436 47437 402336 11 API calls 47436->47437 47438 403031 47437->47438 47438->47067 47440 403626 47439->47440 47441 403644 47440->47441 47442 40362c 47440->47442 47444 40365c 47441->47444 47445 40369e 47441->47445 47443 4036a6 28 API calls 47442->47443 47449 403642 47443->47449 47448 4027e6 28 API calls 47444->47448 47444->47449 47450 4028a4 22 API calls 47445->47450 47448->47449 47449->47432 47452 4024f9 47451->47452 47453 40250a 28 API calls 47452->47453 47454 4020b1 47453->47454 47454->46670 47455->47152 47466 412829 61 API calls 47462->47466 47467 43bea8 47470 43beb4 _swprintf CallCatchBlock 47467->47470 47468 43bec2 47483 44062d 20 API calls __dosmaperr 47468->47483 47470->47468 47471 43beec 47470->47471 47478 445909 EnterCriticalSection 47471->47478 47473 43bef7 47479 43bf98 47473->47479 47475 43bec7 __cftoe CallCatchBlock 47478->47473 47481 43bfa6 47479->47481 47480 43bf02 47484 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47480->47484 47481->47480 47485 4497ec 36 API calls 2 library calls 47481->47485 47483->47475 47484->47475 47485->47481 47486 40165e 47487 401666 47486->47487 47488 401669 47486->47488 47489 4016a8 47488->47489 47491 401696 47488->47491 47490 43455e new 22 API calls 47489->47490 47493 40169c 47490->47493 47492 43455e new 22 API calls 47491->47492 47492->47493

                                                              Executed Functions

                                                              Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                              • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                              • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                              • API String ID: 4236061018-3687161714
                                                              • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                              • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                              • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                              • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                              Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 124 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->124 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->108 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 124->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 202 40ed70-40ed9c call 401e65 call 401fab call 401e65 call 401fab call 40da6f 177->202 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 233 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->233 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee40 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 192 40ee59-40ee7d call 40247c call 434829 182->192 272 40ee45-40ee48 183->272 210 40ee8c 192->210 211 40ee7f-40ee8a call 436f10 192->211 248 40eda1-40edb6 call 401f13 call 401f09 202->248 216 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 210->216 211->216 216->233 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 216->288 286 40f017-40f019 233->286 287 40effc 233->287 248->178 272->192 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->233 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 368 40f207-40f21a call 401e65 call 401fab 356->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 415 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->415 416 40f2c2-40f2c7 413->416 417 40f307-40f322 call 401fab call 41353a 413->417 415->417 416->415 417->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 417->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->124 445->124 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                              APIs
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 0040EA29
                                                                • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                              • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                              • API String ID: 2830904901-1164429942
                                                              • Opcode ID: adc8aaf009c5e462c51a7f1dd67f413943138e092ef771934bf12d12d35cbce5
                                                              • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                              • Opcode Fuzzy Hash: adc8aaf009c5e462c51a7f1dd67f413943138e092ef771934bf12d12d35cbce5
                                                              • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                              Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0040CE42
                                                              • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                              • CopyFileW.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                              • _wcslen.LIBCMT ref: 0040CF21
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                              • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000000,00000000), ref: 0040CFBF
                                                              • SetFileAttributesW.KERNELBASE(00000000,00000007), ref: 0040CFFE
                                                              • _wcslen.LIBCMT ref: 0040D001
                                                              • SetFileAttributesW.KERNELBASE(00000000,00000007), ref: 0040D018
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                              • ExitProcess.KERNEL32 ref: 0040D09D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                              • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$del$open
                                                              • API String ID: 1579085052-2041965819
                                                              • Opcode ID: 78ec28f4913f4d3f9f1528364862cf6ae71335d4f1464bd7cdb9a6dc9c28360f
                                                              • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                              • Opcode Fuzzy Hash: 78ec28f4913f4d3f9f1528364862cf6ae71335d4f1464bd7cdb9a6dc9c28360f
                                                              • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                              Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DBD5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LongNamePath
                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                              • API String ID: 82841172-425784914
                                                              • Opcode ID: be4ac8304f295cf4b46394ea231ea9abe9adb1149d3e26b594abad322c0f2439
                                                              • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                              • Opcode Fuzzy Hash: be4ac8304f295cf4b46394ea231ea9abe9adb1149d3e26b594abad322c0f2439
                                                              • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                              Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                              • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                              • API String ID: 1866151309-2070987746
                                                              • Opcode ID: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                              • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                              • Opcode Fuzzy Hash: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                              • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                              Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 656 41384f-413862 RegCreateKeyW 657 4138a1 656->657 658 413864-41389f call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 660 4138a3-4138b1 call 401f09 657->660 658->660
                                                              APIs
                                                              • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                              • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 00413888
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateValue
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                              • API String ID: 1818849710-1051519024
                                                              • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                              • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                              • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                              • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                              Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 666 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                              APIs
                                                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                              • GetLastError.KERNEL32 ref: 0040D0BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateErrorLastMutex
                                                              • String ID: SG
                                                              • API String ID: 1925916568-3189917014
                                                              • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                              • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                              • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                              • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                              Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 669 4135e1-41360d RegOpenKeyExA 670 413642 669->670 671 41360f-413637 RegQueryValueExA RegCloseKey 669->671 672 413644 670->672 671->672 673 413639-413640 671->673 674 413649-413655 call 402093 672->674 673->674
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                              • RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                              • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                              • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                              • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                              Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 677 413584-4135ac RegOpenKeyExA 678 4135db 677->678 679 4135ae-4135d9 RegQueryValueExA RegCloseKey 677->679 680 4135dd-4135e0 678->680 679->680
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                              • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                              • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                              • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                              • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 681 40165e-401664 682 401666-401668 681->682 683 401669-401674 681->683 684 401676 683->684 685 40167b-401685 683->685 684->685 686 401687-40168d 685->686 687 4016a8-4016a9 call 43455e 685->687 686->687 688 40168f-401694 686->688 691 4016ae-4016af 687->691 688->684 690 401696-4016a6 call 43455e 688->690 693 4016b1-4016b3 690->693 691->693
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                              • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                              • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                              • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                              Function 00450154 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 723 450154-450161 call 445b74 725 450166-450171 723->725 726 450177-45017f 725->726 727 450173-450175 725->727 728 4501bf-4501cd call 446802 726->728 729 450181-450185 726->729 727->728 730 450187-4501b9 call 448b04 729->730 735 4501bb-4501be 730->735 735->728
                                                              APIs
                                                                • Part of subcall function 00445B74: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                                              • _free.LIBCMT ref: 004501C0
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                              • Instruction ID: 1bf88885f7a62dfe3e195aa205353632c6f85cb380d5d404dcdd82bf2c99678c
                                                              • Opcode Fuzzy Hash: 60f99f4f74d771fb4a1326b0b926bb5a841854500e0a6ddc8464f8a9dc27050b
                                                              • Instruction Fuzzy Hash: DB014976200744ABE731CF6ACC42D5AFBD8EB85370F25062EE58483281EB34A909C779
                                                              Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 736 445b74-445b7f 737 445b81-445b8b 736->737 738 445b8d-445b93 736->738 737->738 739 445bc1-445bcc call 44062d 737->739 740 445b95-445b96 738->740 741 445bac-445bbd RtlAllocateHeap 738->741 745 445bce-445bd0 739->745 740->741 742 445bbf 741->742 743 445b98-445b9f call 4455c6 741->743 742->745 743->739 749 445ba1-445baa call 443001 743->749 749->739 749->741
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                              • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                              • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                              • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                              Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 752 4461b8-4461c4 753 4461f6-446201 call 44062d 752->753 754 4461c6-4461c8 752->754 762 446203-446205 753->762 755 4461e1-4461f2 RtlAllocateHeap 754->755 756 4461ca-4461cb 754->756 758 4461f4 755->758 759 4461cd-4461d4 call 4455c6 755->759 756->755 758->762 759->753 764 4461d6-4461df call 443001 759->764 764->753 764->755
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                              • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                              • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                              • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF

                                                              Non-executed Functions

                                                              Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                              • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                                • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                                • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                              • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                              • Sleep.KERNEL32(000007D0), ref: 00408733
                                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                              • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                              • API String ID: 1067849700-181434739
                                                              • Opcode ID: f0bb3cb5b26e90024f3fd42e5bc2004f602a4fcf380aa8fd0aaf15a6088bcc68
                                                              • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                              • Opcode Fuzzy Hash: f0bb3cb5b26e90024f3fd42e5bc2004f602a4fcf380aa8fd0aaf15a6088bcc68
                                                              • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                              Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • __Init_thread_footer.LIBCMT ref: 00405723
                                                              • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                              • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                              • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                              • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                              • CloseHandle.KERNEL32 ref: 00405A23
                                                              • CloseHandle.KERNEL32 ref: 00405A2B
                                                              • CloseHandle.KERNEL32 ref: 00405A3D
                                                              • CloseHandle.KERNEL32 ref: 00405A45
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                              • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                              • API String ID: 2994406822-18413064
                                                              • Opcode ID: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                              • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                              • Opcode Fuzzy Hash: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                              • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                              Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                              • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                              • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                              • API String ID: 3018269243-13974260
                                                              • Opcode ID: 8006cda52f5219bdd696dd0d675ffe777c2bf0d6e0fdc247cffe885ec1085c4b
                                                              • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                              • Opcode Fuzzy Hash: 8006cda52f5219bdd696dd0d675ffe777c2bf0d6e0fdc247cffe885ec1085c4b
                                                              • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                              Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                              • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                              • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$FirstNext
                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                              • API String ID: 1164774033-3681987949
                                                              • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                              • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                              • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                              • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                              Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32 ref: 004168FD
                                                              • EmptyClipboard.USER32 ref: 0041690B
                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                              • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                              • CloseClipboard.USER32 ref: 00416990
                                                              • OpenClipboard.USER32 ref: 00416997
                                                              • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                              • CloseClipboard.USER32 ref: 004169BF
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                              • String ID: !D@
                                                              • API String ID: 3520204547-604454484
                                                              • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                              • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                              • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                              • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                              Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                              • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                              • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                              • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$Close$File$FirstNext
                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                              • API String ID: 3527384056-432212279
                                                              • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                              • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                              • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                              • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                              Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0041A04A
                                                              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                              • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                              • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                              • API String ID: 489098229-1431523004
                                                              • Opcode ID: ed0dc15d332ee4383210d553d6c4f7a7ac5547de3233ceb75dc48dba0a47a24e
                                                              • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                              • Opcode Fuzzy Hash: ed0dc15d332ee4383210d553d6c4f7a7ac5547de3233ceb75dc48dba0a47a24e
                                                              • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                              Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                              • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                              • API String ID: 3756808967-1743721670
                                                              • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                              • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                              • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                              • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                              Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$1$2$3$4$5$6$7$VG
                                                              • API String ID: 0-1861860590
                                                              • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                              • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                              • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                              • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                              Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0040755C
                                                              • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Object_wcslen
                                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                              • API String ID: 240030777-3166923314
                                                              • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                              • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                              • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                              • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                              Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                              • GetLastError.KERNEL32 ref: 0041A84C
                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                              • String ID:
                                                              • API String ID: 3587775597-0
                                                              • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                              • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                              • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                              • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                              Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                              • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                              • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$FirstNext
                                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                              • API String ID: 1164774033-405221262
                                                              • Opcode ID: a3ce9096115a305f75ad61f69b74af84364be51e2e7fe5988e77a5b22bdf061e
                                                              • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                              • Opcode Fuzzy Hash: a3ce9096115a305f75ad61f69b74af84364be51e2e7fe5988e77a5b22bdf061e
                                                              • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                              Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                              • String ID:
                                                              • API String ID: 2341273852-0
                                                              • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                              • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                              • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                              • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                              Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Find$CreateFirstNext
                                                              • String ID: 8SG$PXG$PXG$NG$PG
                                                              • API String ID: 341183262-3812160132
                                                              • Opcode ID: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                              • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                              • Opcode Fuzzy Hash: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                              • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                              Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                              • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                              • GetLastError.KERNEL32 ref: 0040A328
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                              • TranslateMessage.USER32(?), ref: 0040A385
                                                              • DispatchMessageA.USER32(?), ref: 0040A390
                                                              Strings
                                                              • Keylogger initialization failure: error , xrefs: 0040A33C
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                              • String ID: Keylogger initialization failure: error
                                                              • API String ID: 3219506041-952744263
                                                              • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                              • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                              • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                              • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                              Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 0040A451
                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                              • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                              • GetKeyState.USER32(00000010), ref: 0040A46E
                                                              • GetKeyboardState.USER32(?), ref: 0040A479
                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                              • String ID:
                                                              • API String ID: 1888522110-0
                                                              • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                              • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                              • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                              • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                              Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                              • API String ID: 2127411465-314212984
                                                              • Opcode ID: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                              • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                              • Opcode Fuzzy Hash: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                              • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                              Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                              • String ID: !D@$PowrProf.dll$SetSuspendState
                                                              • API String ID: 1589313981-2876530381
                                                              • Opcode ID: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                              • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                              • Opcode Fuzzy Hash: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                              • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                              Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                              Strings
                                                              • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                              • String ID: http://geoplugin.net/json.gp
                                                              • API String ID: 3121278467-91888290
                                                              • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                              • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                              • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                              • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                              Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                              • GetLastError.KERNEL32 ref: 0040BA93
                                                              Strings
                                                              • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                              • UserProfile, xrefs: 0040BA59
                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                              • API String ID: 2018770650-1062637481
                                                              • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                              • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                              • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                              • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                              Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                              • GetLastError.KERNEL32 ref: 004179D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                              • String ID: SeShutdownPrivilege
                                                              • API String ID: 3534403312-3733053543
                                                              • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                              • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                              • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                              • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                              Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00409293
                                                                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                              • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                                • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                                                • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                              • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                              • String ID:
                                                              • API String ID: 1824512719-0
                                                              • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                              • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                              • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                              • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                              Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FSE$FSE$PkGNG
                                                              • API String ID: 0-1266307253
                                                              • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                              • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                              • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                              • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                              Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                              • String ID:
                                                              • API String ID: 276877138-0
                                                              • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                              • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                              • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                              • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                              Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413584: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                              • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                              • ExitProcess.KERNEL32 ref: 0040F905
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                              • String ID: 5.1.1 Pro$override$pth_unenc
                                                              • API String ID: 2281282204-2344886030
                                                              • Opcode ID: 8dc85b8ab8054d92d7c853158ed1b7be28c6e4132a02577863bfe4ed9005faa9
                                                              • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                              • Opcode Fuzzy Hash: 8dc85b8ab8054d92d7c853158ed1b7be28c6e4132a02577863bfe4ed9005faa9
                                                              • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                              Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                              • GetACP.KERNEL32 ref: 00452593
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID: ACP$OCP
                                                              • API String ID: 2299586839-711371036
                                                              • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                              • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                              • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                              • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                              Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                              • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                              • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                              • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID: SETTINGS
                                                              • API String ID: 3473537107-594951305
                                                              • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                              • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                              • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                              • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                              Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004096A5
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                              • String ID:
                                                              • API String ID: 1157919129-0
                                                              • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                              • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                              • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                              • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                              Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                              • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                              • String ID:
                                                              • API String ID: 745075371-0
                                                              • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                              • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                              • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                              • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                              Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0040884C
                                                              • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                              • String ID:
                                                              • API String ID: 1771804793-0
                                                              • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                              • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                              • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                              • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                              Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DownloadExecuteFileShell
                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$open
                                                              • API String ID: 2825088817-2582742282
                                                              • Opcode ID: 4065d5731c8f777f0d37dad74acae174bebd5acfe97c1a373d4c5e0be3d11f93
                                                              • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                              • Opcode Fuzzy Hash: 4065d5731c8f777f0d37dad74acae174bebd5acfe97c1a373d4c5e0be3d11f93
                                                              • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                              Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFind$FirstNextsend
                                                              • String ID: XPG$XPG
                                                              • API String ID: 4113138495-1962359302
                                                              • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                              • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                              • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                              • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                              Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                              • API String ID: 4127273184-3576401099
                                                              • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                              • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                              • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                              • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                              Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                              • API String ID: 4127273184-3576401099
                                                              • Opcode ID: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                              • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                              • Opcode Fuzzy Hash: 1be57db16bc80fa37d3a9003a2ea5f51ddd37d0b47a9f0501ac93dd6eaa9563f
                                                              • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                              Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                              • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                              • ExitProcess.KERNEL32 ref: 0044338F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID: PkGNG
                                                              • API String ID: 1703294689-263838557
                                                              • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                              • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                              • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                              • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                              Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                              • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                              • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                              • String ID:
                                                              • API String ID: 4212172061-0
                                                              • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                              • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                              • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                              • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                              Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0044943D
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                              • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                              • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                              • String ID:
                                                              • API String ID: 806657224-0
                                                              • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                              • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                              • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                              • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                              Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                              • String ID:
                                                              • API String ID: 2829624132-0
                                                              • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                              • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                              • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                              • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                              Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                              • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                              • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                              • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                              Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                              • String ID:
                                                              • API String ID: 1815803762-0
                                                              • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                              • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                              • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                              • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                              Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                              • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                              • CloseClipboard.USER32 ref: 0040B760
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$CloseDataOpen
                                                              • String ID:
                                                              • API String ID: 2058664381-0
                                                              • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                              • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                              • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                              • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                              Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor
                                                              • String ID:
                                                              • API String ID: 2325560087-3916222277
                                                              • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                              • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                              • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                              • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                              Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID: GetLocaleInfoEx
                                                              • API String ID: 2299586839-2904428671
                                                              • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                              • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                              • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                              • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                              Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Heap$FreeProcess
                                                              • String ID:
                                                              • API String ID: 3859560861-0
                                                              • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                              • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                              • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                              • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                              Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                              • String ID:
                                                              • API String ID: 1663032902-0
                                                              • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                              • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                              • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                              • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                              Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                              • String ID:
                                                              • API String ID: 1084509184-0
                                                              • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                              • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                              • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                              • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                              Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                              • String ID:
                                                              • API String ID: 2692324296-0
                                                              • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                              • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                              • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                              • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                              Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                              • String ID:
                                                              • API String ID: 1084509184-0
                                                              • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                              • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                              • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                              • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                              Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                              • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                              • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                              • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                              Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                              • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                              • String ID:
                                                              • API String ID: 1272433827-0
                                                              • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                              • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                              • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                              • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                              Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                              • String ID:
                                                              • API String ID: 1084509184-0
                                                              • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                              • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                              • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                              • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                              Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                              • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                              Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                              • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                              • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                              • Instruction Fuzzy Hash:
                                                              Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                              • DeleteDC.GDI32(00000000), ref: 00418F65
                                                              • DeleteDC.GDI32(00000000), ref: 00418F68
                                                              • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                              • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                              • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                              • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                              • DeleteObject.GDI32(?), ref: 00419027
                                                              • DeleteObject.GDI32(?), ref: 00419034
                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                              • DeleteDC.GDI32(?), ref: 004191B7
                                                              • DeleteDC.GDI32(00000000), ref: 004191BA
                                                              • DeleteObject.GDI32(00000000), ref: 004191BD
                                                              • GlobalFree.KERNEL32(?), ref: 004191C8
                                                              • DeleteObject.GDI32(00000000), ref: 0041927C
                                                              • GlobalFree.KERNEL32(?), ref: 00419283
                                                              • DeleteDC.GDI32(?), ref: 00419293
                                                              • DeleteDC.GDI32(00000000), ref: 0041929E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                              • String ID: DISPLAY
                                                              • API String ID: 479521175-865373369
                                                              • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                              • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                              • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                              • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                              Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                              • ResumeThread.KERNEL32(?), ref: 00418470
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                              • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                              • GetLastError.KERNEL32 ref: 004184B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                              • API String ID: 4188446516-3035715614
                                                              • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                              • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                              • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                              • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                              Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                              • ExitProcess.KERNEL32 ref: 0040D80B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                              • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                              • API String ID: 1861856835-1447701601
                                                              • Opcode ID: 5bfd04f2c3675bb3e4ccca17f50e3f4c8b9b0143e22e23c3ef80078f3e2ac138
                                                              • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                              • Opcode Fuzzy Hash: 5bfd04f2c3675bb3e4ccca17f50e3f4c8b9b0143e22e23c3ef80078f3e2ac138
                                                              • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                              Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                              • ExitProcess.KERNEL32 ref: 0040D454
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                              • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                              • API String ID: 3797177996-2483056239
                                                              • Opcode ID: 4ed49e942f17f0f2b3abb6c7cdc5849daee16a078121c92a28a1cb87cb179660
                                                              • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                              • Opcode Fuzzy Hash: 4ed49e942f17f0f2b3abb6c7cdc5849daee16a078121c92a28a1cb87cb179660
                                                              • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                              Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                              • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                              • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                              • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                              • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                              • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                              • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                              • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                              • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                              • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                              • API String ID: 2649220323-436679193
                                                              • Opcode ID: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                                                              • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                              • Opcode Fuzzy Hash: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                                                              • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                              Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                              • SetEvent.KERNEL32 ref: 0041B2AA
                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                              • CloseHandle.KERNEL32 ref: 0041B2CB
                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                              • API String ID: 738084811-2094122233
                                                              • Opcode ID: 7c34508947559437a3a277e9d61a1f5e5f7acc13b7aac5b1e5b5860917e6a28f
                                                              • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                              • Opcode Fuzzy Hash: 7c34508947559437a3a277e9d61a1f5e5f7acc13b7aac5b1e5b5860917e6a28f
                                                              • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                              Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                              • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                              • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                              • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Write$Create
                                                              • String ID: RIFF$WAVE$data$fmt
                                                              • API String ID: 1602526932-4212202414
                                                              • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                              • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                              • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                              • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                              Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                              • API String ID: 1646373207-89630625
                                                              • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                              • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                              • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                              • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                              Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                              • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                              • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                              • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                              • _wcslen.LIBCMT ref: 0041C1CC
                                                              • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                              • GetLastError.KERNEL32 ref: 0041C204
                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                              • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                              • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                              • GetLastError.KERNEL32 ref: 0041C261
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                              • String ID: ?
                                                              • API String ID: 3941738427-1684325040
                                                              • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                              • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                              • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                              • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                              Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                              • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                              • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                              • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                              • API String ID: 2490988753-3346362794
                                                              • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                              • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                              • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                              • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                              Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                              • String ID:
                                                              • API String ID: 3899193279-0
                                                              • Opcode ID: 546d6b1eb3b41f64b2e76db450b04a782591562765fde2d4f0a87aa2ff6224bf
                                                              • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                              • Opcode Fuzzy Hash: 546d6b1eb3b41f64b2e76db450b04a782591562765fde2d4f0a87aa2ff6224bf
                                                              • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                              Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                              • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                              • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                              • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                              • String ID: /stext "$0TG$0TG$NG$NG
                                                              • API String ID: 1223786279-2576077980
                                                              • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                              • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                              • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                              • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                              Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                              • GetCursorPos.USER32(?), ref: 0041D67A
                                                              • SetForegroundWindow.USER32(?), ref: 0041D683
                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                              • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                              • ExitProcess.KERNEL32 ref: 0041D6F6
                                                              • CreatePopupMenu.USER32 ref: 0041D6FC
                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                              • String ID: Close
                                                              • API String ID: 1657328048-3535843008
                                                              • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                              • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                              • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                              • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                              Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                              • SetEvent.KERNEL32(?), ref: 00404E43
                                                              • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                              • closesocket.WS2_32(?), ref: 00404E5A
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                                              • SetEvent.KERNEL32(?), ref: 00404EA2
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                                              • SetEvent.KERNEL32(?), ref: 00404EBA
                                                              • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                              • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                              • SetEvent.KERNEL32(?), ref: 00404ED1
                                                              • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                              • String ID: PkGNG
                                                              • API String ID: 3658366068-263838557
                                                              • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                              • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                              • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                              • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                              Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$Info
                                                              • String ID:
                                                              • API String ID: 2509303402-0
                                                              • Opcode ID: 75151fbced3465edae0101cd141662f582d879f03032417287744dbc83fd132d
                                                              • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                              • Opcode Fuzzy Hash: 75151fbced3465edae0101cd141662f582d879f03032417287744dbc83fd132d
                                                              • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                              Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                              • __aulldiv.LIBCMT ref: 00408D88
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                              • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                              • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                              • API String ID: 3086580692-2582957567
                                                              • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                              • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                              • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                              • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                              Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                              • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                              • API String ID: 3795512280-1152054767
                                                              • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                              • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                              • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                              • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                              Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(?,?,?), ref: 004048E0
                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                              • WSAGetLastError.WS2_32 ref: 00404A21
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                              • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                              • API String ID: 994465650-3229884001
                                                              • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                              • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                              • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                              • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                              Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                              • _free.LIBCMT ref: 0045137F
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 004513A1
                                                              • _free.LIBCMT ref: 004513B6
                                                              • _free.LIBCMT ref: 004513C1
                                                              • _free.LIBCMT ref: 004513E3
                                                              • _free.LIBCMT ref: 004513F6
                                                              • _free.LIBCMT ref: 00451404
                                                              • _free.LIBCMT ref: 0045140F
                                                              • _free.LIBCMT ref: 00451447
                                                              • _free.LIBCMT ref: 0045144E
                                                              • _free.LIBCMT ref: 0045146B
                                                              • _free.LIBCMT ref: 00451483
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                              • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                              • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                              Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                                • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                                • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                              • ExitProcess.KERNEL32 ref: 0040D9FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                              • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                              • API String ID: 1913171305-3159800282
                                                              • Opcode ID: 44289f883dd7562718e3be597d001429dd6f7e5766c69b57721553f9088b28da
                                                              • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                              • Opcode Fuzzy Hash: 44289f883dd7562718e3be597d001429dd6f7e5766c69b57721553f9088b28da
                                                              • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                              Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                              • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                              • Opcode Fuzzy Hash: eb0df5fda3918316229511e27b327a59e2685e6d7c39cee33e37fcee88581610
                                                              • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                              Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                              • GetLastError.KERNEL32 ref: 00455D6F
                                                              • __dosmaperr.LIBCMT ref: 00455D76
                                                              • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                              • GetLastError.KERNEL32 ref: 00455D8C
                                                              • __dosmaperr.LIBCMT ref: 00455D95
                                                              • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                              • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                              • GetLastError.KERNEL32 ref: 00455F31
                                                              • __dosmaperr.LIBCMT ref: 00455F38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                              • String ID: H
                                                              • API String ID: 4237864984-2852464175
                                                              • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                              • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                              • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                              • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                              Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                              • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                              • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                              • __freea.LIBCMT ref: 0044AEB0
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • __freea.LIBCMT ref: 0044AEB9
                                                              • __freea.LIBCMT ref: 0044AEDE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                              • String ID: PkGNG$tC
                                                              • API String ID: 3864826663-4196309852
                                                              • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                              • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                              • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                              • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                              Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: \&G$\&G$`&G
                                                              • API String ID: 269201875-253610517
                                                              • Opcode ID: 0a05fa7fafc3926735f9ff598043b48751ea8cfb3e4d07056946ce3260a8f3c6
                                                              • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                              • Opcode Fuzzy Hash: 0a05fa7fafc3926735f9ff598043b48751ea8cfb3e4d07056946ce3260a8f3c6
                                                              • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                              Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 65535$udp
                                                              • API String ID: 0-1267037602
                                                              • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                              • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                              • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                              • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                              Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                              • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                              • GetForegroundWindow.USER32 ref: 0040AD84
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                              • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                              • API String ID: 911427763-3954389425
                                                              • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                              • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                              • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                              • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                              Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                              • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                              • __dosmaperr.LIBCMT ref: 0043A926
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                              • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                              • __dosmaperr.LIBCMT ref: 0043A963
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                              • __dosmaperr.LIBCMT ref: 0043A9B7
                                                              • _free.LIBCMT ref: 0043A9C3
                                                              • _free.LIBCMT ref: 0043A9CA
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                              • String ID:
                                                              • API String ID: 2441525078-0
                                                              • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                              • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                              • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                              • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                              Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                              • TranslateMessage.USER32(?), ref: 0040557E
                                                              • DispatchMessageA.USER32(?), ref: 00405589
                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                              • API String ID: 2956720200-749203953
                                                              • Opcode ID: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                              • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                              • Opcode Fuzzy Hash: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                              • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                              Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                              • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                              • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                              • String ID: 0VG$0VG$<$@$Temp
                                                              • API String ID: 1704390241-2575729100
                                                              • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                              • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                              • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                              • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                              Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32 ref: 0041697C
                                                              • EmptyClipboard.USER32 ref: 0041698A
                                                              • CloseClipboard.USER32 ref: 00416990
                                                              • OpenClipboard.USER32 ref: 00416997
                                                              • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                              • CloseClipboard.USER32 ref: 004169BF
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                              • String ID: !D@
                                                              • API String ID: 2172192267-604454484
                                                              • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                              • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                              • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                              • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                              Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                              • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                              • CloseHandle.KERNEL32(?), ref: 004134A0
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                              • String ID:
                                                              • API String ID: 297527592-0
                                                              • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                              • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                              • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                              • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                              Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                              • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                              • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                              • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                              Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 004481B5
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 004481C1
                                                              • _free.LIBCMT ref: 004481CC
                                                              • _free.LIBCMT ref: 004481D7
                                                              • _free.LIBCMT ref: 004481E2
                                                              • _free.LIBCMT ref: 004481ED
                                                              • _free.LIBCMT ref: 004481F8
                                                              • _free.LIBCMT ref: 00448203
                                                              • _free.LIBCMT ref: 0044820E
                                                              • _free.LIBCMT ref: 0044821C
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                              • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                              • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                              • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                              Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Eventinet_ntoa
                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                              • API String ID: 3578746661-3604713145
                                                              • Opcode ID: f263e4c13fc2064b78efa21c35b83796e15668e555435fd99ba599c6ad5ca075
                                                              • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                              • Opcode Fuzzy Hash: f263e4c13fc2064b78efa21c35b83796e15668e555435fd99ba599c6ad5ca075
                                                              • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                              Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DecodePointer
                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                              • API String ID: 3527080286-3064271455
                                                              • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                              • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                              • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                              • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                              Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                              • __fassign.LIBCMT ref: 0044B4F9
                                                              • __fassign.LIBCMT ref: 0044B514
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                                              • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID: PkGNG
                                                              • API String ID: 1324828854-263838557
                                                              • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                              • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                              • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                              • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                              Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • Sleep.KERNEL32(00000064), ref: 0041755C
                                                              • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                              • API String ID: 1462127192-2001430897
                                                              • Opcode ID: f341753d6f3a08b8f61e7ed043ac881f71afe8c82c6e57c86a755af76922d4c4
                                                              • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                              • Opcode Fuzzy Hash: f341753d6f3a08b8f61e7ed043ac881f71afe8c82c6e57c86a755af76922d4c4
                                                              • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                              Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 004074D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                              • API String ID: 2050909247-4242073005
                                                              • Opcode ID: cf568b37148f4497f81ab12635e2dca67c7b70f724ed768a1d25f1bc6ab9bf95
                                                              • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                              • Opcode Fuzzy Hash: cf568b37148f4497f81ab12635e2dca67c7b70f724ed768a1d25f1bc6ab9bf95
                                                              • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                              Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strftime.LIBCMT ref: 00401D50
                                                                • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                              • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                              • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                              • API String ID: 3809562944-243156785
                                                              • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                              • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                              • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                              • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                              Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                              • int.LIBCPMT ref: 00410EBC
                                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                              • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                              • String ID: ,kG$0kG
                                                              • API String ID: 3815856325-2015055088
                                                              • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                              • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                              • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                              • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                              Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                              • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                              • waveInStart.WINMM ref: 00401CFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                              • String ID: dMG$|MG$PG
                                                              • API String ID: 1356121797-532278878
                                                              • Opcode ID: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                              • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                              • Opcode Fuzzy Hash: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                              • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                              Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                              • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                              • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                              • TranslateMessage.USER32(?), ref: 0041D57A
                                                              • DispatchMessageA.USER32(?), ref: 0041D584
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                              • String ID: Remcos
                                                              • API String ID: 1970332568-165870891
                                                              • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                              • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                              • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                              • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                              Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                              • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                              • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                              • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                              Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                              • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                              • __alloca_probe_16.LIBCMT ref: 00454014
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                              • __freea.LIBCMT ref: 00454083
                                                              • __freea.LIBCMT ref: 0045408F
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                              • String ID:
                                                              • API String ID: 201697637-0
                                                              • Opcode ID: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                              • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                              • Opcode Fuzzy Hash: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                              • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                              Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                              • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                              • _free.LIBCMT ref: 00445515
                                                              • _free.LIBCMT ref: 0044552E
                                                              • _free.LIBCMT ref: 00445560
                                                              • _free.LIBCMT ref: 00445569
                                                              • _free.LIBCMT ref: 00445575
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                              • String ID: C
                                                              • API String ID: 1679612858-1037565863
                                                              • Opcode ID: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                              • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                              • Opcode Fuzzy Hash: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                              • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                              Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tcp$udp
                                                              • API String ID: 0-3725065008
                                                              • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                              • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                              • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                              • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                              Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 004018BE
                                                              • ExitThread.KERNEL32 ref: 004018F6
                                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                              • String ID: PkG$XMG$NG$NG
                                                              • API String ID: 1649129571-3151166067
                                                              • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                              • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                              • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                              • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                              Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                                • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                              • String ID: .part
                                                              • API String ID: 1303771098-3499674018
                                                              • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                              • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                              • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                              • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                              Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendInput.USER32 ref: 00419A25
                                                              • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                              • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InputSend$Virtual
                                                              • String ID:
                                                              • API String ID: 1167301434-0
                                                              • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                              • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                              • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                              • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                              Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __freea$__alloca_probe_16_free
                                                              • String ID: a/p$am/pm$h{D
                                                              • API String ID: 2936374016-2303565833
                                                              • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                              • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                              • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                              • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                              Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • _free.LIBCMT ref: 00444E87
                                                              • _free.LIBCMT ref: 00444E9E
                                                              • _free.LIBCMT ref: 00444EBD
                                                              • _free.LIBCMT ref: 00444ED8
                                                              • _free.LIBCMT ref: 00444EEF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$AllocateHeap
                                                              • String ID: KED
                                                              • API String ID: 3033488037-2133951994
                                                              • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                              • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                              • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                              • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                              Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Enum$InfoQueryValue
                                                              • String ID: [regsplt]$xUG$TG
                                                              • API String ID: 3554306468-1165877943
                                                              • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                              • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                              • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                              • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                              Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                              • String ID: xUG$NG$NG$TG
                                                              • API String ID: 3114080316-2811732169
                                                              • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                              • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                              • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                              • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                              Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                              • __alloca_probe_16.LIBCMT ref: 00451231
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                              • __freea.LIBCMT ref: 0045129D
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                              • String ID: PkGNG
                                                              • API String ID: 313313983-263838557
                                                              • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                              • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                              • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                              • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                              Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                              • _wcslen.LIBCMT ref: 0041B7F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                              • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                              • API String ID: 37874593-122982132
                                                              • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                              • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                              • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                              • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                              Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                              • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                              • API String ID: 1133728706-4073444585
                                                              • Opcode ID: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                              • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                              • Opcode Fuzzy Hash: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                              • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                              Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                              • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                              • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                              • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                              Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                              • _free.LIBCMT ref: 00450FC8
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00450FD3
                                                              • _free.LIBCMT ref: 00450FDE
                                                              • _free.LIBCMT ref: 00451032
                                                              • _free.LIBCMT ref: 0045103D
                                                              • _free.LIBCMT ref: 00451048
                                                              • _free.LIBCMT ref: 00451053
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                              • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                              • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                              Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                              • int.LIBCPMT ref: 004111BE
                                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                              • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                              • String ID: (mG
                                                              • API String ID: 2536120697-4059303827
                                                              • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                              • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                              • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                              • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                              Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                              • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                              • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                              • Opcode Fuzzy Hash: f8b088146f32705476b05de113eddff258cc1bfa1c523dc592fb57b9cb9462fc
                                                              • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                              Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe), ref: 0040760B
                                                                • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                              • CoUninitialize.OLE32 ref: 00407664
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitializeObjectUninitialize_wcslen
                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                              • API String ID: 3851391207-1840432179
                                                              • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                              • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                              • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                              • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                              Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                              • GetLastError.KERNEL32 ref: 0040BB22
                                                              Strings
                                                              • [Chrome Cookies not found], xrefs: 0040BB3C
                                                              • UserProfile, xrefs: 0040BAE8
                                                              • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                              • API String ID: 2018770650-304995407
                                                              • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                              • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                              • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                              • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                              Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Console$AllocOutputShowWindow
                                                              • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                              • API String ID: 2425139147-3820604032
                                                              • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                              • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                              • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                              • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                              Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                              • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                              • API String ID: 4061214504-213444651
                                                              • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                              • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                              • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                              • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                              Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __allrem.LIBCMT ref: 0043ACE9
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                              • __allrem.LIBCMT ref: 0043AD1C
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                              • __allrem.LIBCMT ref: 0043AD51
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 1992179935-0
                                                              • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                              • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                              • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                              • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                              Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                                • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: H_prologSleep
                                                              • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                              • API String ID: 3469354165-3054508432
                                                              • Opcode ID: b4ffaf4d4bc36b92846901c683608e499d22e7149b7f9014ad6a348d41818569
                                                              • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                              • Opcode Fuzzy Hash: b4ffaf4d4bc36b92846901c683608e499d22e7149b7f9014ad6a348d41818569
                                                              • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                              Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                              • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                                • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                                • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                              • String ID:
                                                              • API String ID: 3950776272-0
                                                              • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                              • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                              • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                              • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                              Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __cftoe
                                                              • String ID:
                                                              • API String ID: 4189289331-0
                                                              • Opcode ID: dfe269b3e7c89c95b27fedd159a696e88b5656ec827068c0169833f59e794ee9
                                                              • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                              • Opcode Fuzzy Hash: dfe269b3e7c89c95b27fedd159a696e88b5656ec827068c0169833f59e794ee9
                                                              • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                              Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                              • String ID:
                                                              • API String ID: 493672254-0
                                                              • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                              • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                              • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                              • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                              Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID: PkGNG
                                                              • API String ID: 1036877536-263838557
                                                              • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                              • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                              • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                              • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                              Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                              • _free.LIBCMT ref: 004482CC
                                                              • _free.LIBCMT ref: 004482F4
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                              • _abort.LIBCMT ref: 00448313
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                              • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                              • Opcode Fuzzy Hash: c2591106eec843b6d6e807480f59c56eb64d59fc50806e925db96e87570db6c2
                                                              • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                              Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                              • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                              • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                              • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                              Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                              • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                              • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                              • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                              Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                              • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                              • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                              • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                              Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: @^E
                                                              • API String ID: 269201875-2908066071
                                                              • Opcode ID: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                              • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                              • Opcode Fuzzy Hash: 439bce076e8af1f4f00d09f36dc57c4360a04deb8f32f7f303546f6c5063276e
                                                              • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                              Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PkGNG
                                                              • API String ID: 0-263838557
                                                              • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                              • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                              • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                              • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                              Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                              • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                                              • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                              • String ID: PkGNG
                                                              • API String ID: 3360349984-263838557
                                                              • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                              • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                              • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                              • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                              Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                              • wsprintfW.USER32 ref: 0040B22E
                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EventLocalTimewsprintf
                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                              • API String ID: 1497725170-248792730
                                                              • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                              • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                              • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                              • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                              Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                              • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                              • String ID: XQG
                                                              • API String ID: 1958988193-3606453820
                                                              • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                              • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                              • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                              • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                              Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                              • GetLastError.KERNEL32 ref: 0041D611
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                              • String ID: 0$MsgWindowClass
                                                              • API String ID: 2877667751-2410386613
                                                              • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                              • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                              • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                              • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                              Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                              • CloseHandle.KERNEL32(?), ref: 004077E5
                                                              • CloseHandle.KERNEL32(?), ref: 004077EA
                                                              Strings
                                                              • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CreateProcess
                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                              • API String ID: 2922976086-4183131282
                                                              • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                              • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                              • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                              • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                              Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SG, xrefs: 00407715
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 004076FF
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                              • API String ID: 0-3927007821
                                                              • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                              • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                              • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                              • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                              Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                              • SetEvent.KERNEL32(?), ref: 0040512C
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                              • CloseHandle.KERNEL32(?), ref: 00405140
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                              • String ID: KeepAlive | Disabled
                                                              • API String ID: 2993684571-305739064
                                                              • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                              • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                              • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                              • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                              Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                              • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                              • String ID: Alarm triggered
                                                              • API String ID: 614609389-2816303416
                                                              • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                              • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                              • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                              • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                              Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                              Strings
                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                              • API String ID: 3024135584-2418719853
                                                              • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                              • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                              • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                              • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                              Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                              • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                              • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                              • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                              Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 4269425633-0
                                                              • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                              • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                              • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                              • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                              Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                              • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                              • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                              • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                              Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                              • _free.LIBCMT ref: 0044F43F
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                              • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                              • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                              • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                              Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreatePointerWrite
                                                              • String ID:
                                                              • API String ID: 1852769593-0
                                                              • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                              • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                              • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                              • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                              Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                              • _free.LIBCMT ref: 00448353
                                                              • _free.LIBCMT ref: 0044837A
                                                              • SetLastError.KERNEL32(00000000), ref: 00448387
                                                              • SetLastError.KERNEL32(00000000), ref: 00448390
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                              • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                              • Opcode Fuzzy Hash: 1cfc413842d63f34c7f1edcf4c7ea3bb1e2262b941f6d70642a76626a3a2f89f
                                                              • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                              Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00450A54
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00450A66
                                                              • _free.LIBCMT ref: 00450A78
                                                              • _free.LIBCMT ref: 00450A8A
                                                              • _free.LIBCMT ref: 00450A9C
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                              • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                              • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                              Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00444106
                                                                • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                              • _free.LIBCMT ref: 00444118
                                                              • _free.LIBCMT ref: 0044412B
                                                              • _free.LIBCMT ref: 0044413C
                                                              • _free.LIBCMT ref: 0044414D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                              • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                              • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                              Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PkGNG
                                                              • API String ID: 0-263838557
                                                              • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                              • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                              • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                              • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                              Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CountEventTick
                                                              • String ID: !D@$NG
                                                              • API String ID: 180926312-2721294649
                                                              • Opcode ID: 9995513762a4fd8edc495be866afed25eb4c32c1f3911c48c384adcc3b5f66be
                                                              • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                              • Opcode Fuzzy Hash: 9995513762a4fd8edc495be866afed25eb4c32c1f3911c48c384adcc3b5f66be
                                                              • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                              Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                              • String ID: XQG$NG$PG
                                                              • API String ID: 1634807452-3565412412
                                                              • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                              • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                              • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                              • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                              Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe,00000104), ref: 00443515
                                                              • _free.LIBCMT ref: 004435E0
                                                              • _free.LIBCMT ref: 004435EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                              • API String ID: 2506810119-4083458154
                                                              • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                              • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                              • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                              • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                              Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                              • GetLastError.KERNEL32 ref: 0044B9B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorFileLastMultiWideWrite
                                                              • String ID: PkGNG
                                                              • API String ID: 2456169464-263838557
                                                              • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                              • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                              • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                              • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                              Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                              • String ID: /sort "Visit Time" /stext "$0NG
                                                              • API String ID: 368326130-3219657780
                                                              • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                              • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                              • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                              • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                              Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00416330
                                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen$CloseCreateValue
                                                              • String ID: !D@$okmode$PG
                                                              • API String ID: 3411444782-3370592832
                                                              • Opcode ID: 35fbf123078c83e442a4a08110d0a28feb217dd0509abb738719859e34f9bafd
                                                              • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                              • Opcode Fuzzy Hash: 35fbf123078c83e442a4a08110d0a28feb217dd0509abb738719859e34f9bafd
                                                              • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                              Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                              Strings
                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                              • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                              • API String ID: 1174141254-1980882731
                                                              • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                              • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                              • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                              • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                              Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                              Strings
                                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                              • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                              • API String ID: 1174141254-1980882731
                                                              • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                              • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                              • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                              • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                              Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$LocalTimewsprintf
                                                              • String ID: Offline Keylogger Started
                                                              • API String ID: 465354869-4114347211
                                                              • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                              • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                              • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                              • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                              Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                              • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                              • String ID: Online Keylogger Started
                                                              • API String ID: 112202259-1258561607
                                                              • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                              • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                              • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                              • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                              Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                              • API String ID: 481472006-3277280411
                                                              • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                              • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                              • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                              • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                              • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                              Strings
                                                              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Create$EventLocalThreadTime
                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                              • API String ID: 2532271599-1507639952
                                                              • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                              • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                              • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                              • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                              Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: CryptUnprotectData$crypt32
                                                              • API String ID: 2574300362-2380590389
                                                              • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                              • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                              • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                              • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                              Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                                              • GetLastError.KERNEL32 ref: 0044C316
                                                              • __dosmaperr.LIBCMT ref: 0044C31D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer__dosmaperr
                                                              • String ID: PkGNG
                                                              • API String ID: 2336955059-263838557
                                                              • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                              • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                              • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                              • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                              Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                              • CloseHandle.KERNEL32(?), ref: 004051CA
                                                              • SetEvent.KERNEL32(?), ref: 004051D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEventHandleObjectSingleWait
                                                              • String ID: Connection Timeout
                                                              • API String ID: 2055531096-499159329
                                                              • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                              • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                              • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                              • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                              Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Exception@8Throw
                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                              • API String ID: 2005118841-1866435925
                                                              • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                              • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                              • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                              • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                              Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                              • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FormatFreeLocalMessage
                                                              • String ID: @J@$PkGNG
                                                              • API String ID: 1427518018-1416487119
                                                              • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                              • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                              • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                              • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                              Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                              • String ID: bad locale name
                                                              • API String ID: 3628047217-1405518554
                                                              • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                              • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                              • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                              • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                              Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                              • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                              • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateValue
                                                              • String ID: Control Panel\Desktop
                                                              • API String ID: 1818849710-27424756
                                                              • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                              • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                              • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                              • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                              Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                              • ShowWindow.USER32(00000009), ref: 00416C9C
                                                              • SetForegroundWindow.USER32 ref: 00416CA8
                                                                • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                              • String ID: !D@
                                                              • API String ID: 3446828153-604454484
                                                              • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                              • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                              • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                              • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                              Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID: /C $cmd.exe$open
                                                              • API String ID: 587946157-3896048727
                                                              • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                              • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                              • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                              • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                              Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: GetCursorInfo$User32.dll
                                                              • API String ID: 1646373207-2714051624
                                                              • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                              • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                              • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                              • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                              Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                              • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetLastInputInfo$User32.dll
                                                              • API String ID: 2574300362-1519888992
                                                              • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                              • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                              • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                              • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                              Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                              • Cleared browsers logins and cookies., xrefs: 0040C130
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                              • API String ID: 3472027048-1236744412
                                                              • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                              • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                              • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                              • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                              Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                              • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                              • Sleep.KERNEL32(00000064), ref: 0040A638
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$SleepText$ForegroundLength
                                                              • String ID: [ $ ]
                                                              • API String ID: 3309952895-93608704
                                                              • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                              • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                              • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                              • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                              Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                              • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                              • Opcode Fuzzy Hash: 911473749be2fa5c2776252735adb4f144d6ecb150fd6d6ba7d991cf4941a2f5
                                                              • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                              Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                              • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                              • Opcode Fuzzy Hash: b7286f010cda03a875959cf2de4cc99ef12f7635f3b898eb143771747277d2a1
                                                              • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                              Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                              • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                              • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                              • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                              • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                              Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 3919263394-0
                                                              • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                              • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                              • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                              • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                              Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandleOpenProcess
                                                              • String ID:
                                                              • API String ID: 39102293-0
                                                              • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                              • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                              • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                              • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                              Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                              • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                              • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                              • String ID:
                                                              • API String ID: 2633735394-0
                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                              Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                              • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                              • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                              • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MetricsSystem
                                                              • String ID:
                                                              • API String ID: 4116985748-0
                                                              • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                              • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                              • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                              • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                              Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                              • String ID:
                                                              • API String ID: 1761009282-0
                                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                              • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                              • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                              Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorHandling__start
                                                              • String ID: pow
                                                              • API String ID: 3213639722-2276729525
                                                              • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                              • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                              • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                              • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                              Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                              • GetLastError.KERNEL32 ref: 00449FAB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorLastMultiWide
                                                              • String ID: PkGNG
                                                              • API String ID: 203985260-263838557
                                                              • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                              • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                              • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                              • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                              Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Init_thread_footer__onexit
                                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                                              • API String ID: 1881088180-3686566968
                                                              • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                              • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                              • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                              • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                              Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ACP$OCP
                                                              • API String ID: 0-711371036
                                                              • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                              • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                              • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                              • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                              Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                                              • GetLastError.KERNEL32 ref: 0044B884
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: PkGNG
                                                              • API String ID: 442123175-263838557
                                                              • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                              • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                              • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                              • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                              Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                                              • GetLastError.KERNEL32 ref: 0044B796
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: PkGNG
                                                              • API String ID: 442123175-263838557
                                                              • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                              • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                              • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                              • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                              Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                              Strings
                                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                              • API String ID: 481472006-1507639952
                                                              • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                              • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                              • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                              • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                              Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32 ref: 0041667B
                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DownloadFileSleep
                                                              • String ID: !D@
                                                              • API String ID: 1931167962-604454484
                                                              • Opcode ID: 092e42fcb9aaa0e887aa486cfc6f9746e7f9b69877162c24d85fe42e211bf098
                                                              • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                              • Opcode Fuzzy Hash: 092e42fcb9aaa0e887aa486cfc6f9746e7f9b69877162c24d85fe42e211bf098
                                                              • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                              Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: alarm.wav$hYG
                                                              • API String ID: 1174141254-2782910960
                                                              • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                              • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                              • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                              • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                              Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                              • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                              • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                              • String ID: Online Keylogger Stopped
                                                              • API String ID: 1623830855-1496645233
                                                              • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                              • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                              • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                              • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                              Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String
                                                              • String ID: LCMapStringEx$PkGNG
                                                              • API String ID: 2568140703-1065776982
                                                              • Opcode ID: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                                              • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                              • Opcode Fuzzy Hash: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                                              • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                              Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                              • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$BufferHeaderPrepare
                                                              • String ID: XMG
                                                              • API String ID: 2315374483-813777761
                                                              • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                              • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                              • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                              • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                              Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocaleValid
                                                              • String ID: IsValidLocaleName$kKD
                                                              • API String ID: 1901932003-3269126172
                                                              • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                              • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                              • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                              • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                              Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                              • API String ID: 1174141254-4188645398
                                                              • Opcode ID: f9a07996837724957705d56df4e2d94e9c7b3399acd9f5249461b7d2a15f9b23
                                                              • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                              • Opcode Fuzzy Hash: f9a07996837724957705d56df4e2d94e9c7b3399acd9f5249461b7d2a15f9b23
                                                              • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                              Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                              • API String ID: 1174141254-2800177040
                                                              • Opcode ID: b27d649c1a99b770e2ee573beac095cc0176eb12c484dff086be6ac562635e32
                                                              • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                              • Opcode Fuzzy Hash: b27d649c1a99b770e2ee573beac095cc0176eb12c484dff086be6ac562635e32
                                                              • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                              Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: AppData$\Opera Software\Opera Stable\
                                                              • API String ID: 1174141254-1629609700
                                                              • Opcode ID: 92b8fe468143de46e4b25ecc4db10b81df2d2be94452298da839e48cb23232ed
                                                              • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                              • Opcode Fuzzy Hash: 92b8fe468143de46e4b25ecc4db10b81df2d2be94452298da839e48cb23232ed
                                                              • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                              Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyState.USER32(00000011), ref: 0040B686
                                                                • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                              • String ID: [AltL]$[AltR]
                                                              • API String ID: 2738857842-2658077756
                                                              • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                              • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                              • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                              • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                              Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Time$FileSystem
                                                              • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                              • API String ID: 2086374402-949981407
                                                              • Opcode ID: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                                              • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                              • Opcode Fuzzy Hash: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                                              • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                              Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID: !D@$open
                                                              • API String ID: 587946157-1586967515
                                                              • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                              • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                              • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                              • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                              Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___initconout.LIBCMT ref: 004555DB
                                                                • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                                              • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ConsoleCreateFileWrite___initconout
                                                              • String ID: PkGNG
                                                              • API String ID: 3087715906-263838557
                                                              • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                              • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                              • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                              • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                              Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: State
                                                              • String ID: [CtrlL]$[CtrlR]
                                                              • API String ID: 1649606143-2446555240
                                                              • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                              • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                              • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                              • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                              Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Init_thread_footer__onexit
                                                              • String ID: ,kG$0kG
                                                              • API String ID: 1881088180-2015055088
                                                              • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                              • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                              • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                              • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                              Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                              • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteOpenValue
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                              • API String ID: 2654517830-1051519024
                                                              • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                              • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                              • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                              • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                              Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                              • GetLastError.KERNEL32 ref: 00440D85
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                              • String ID:
                                                              • API String ID: 1717984340-0
                                                              • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                              • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                              • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                              • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                              Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411F2B), ref: 00411BC7
                                                              • IsBadReadPtr.KERNEL32(?,00000014,00411F2B), ref: 00411C93
                                                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                              • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.1678765530.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_400000_MSBuild.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastRead
                                                              • String ID:
                                                              • API String ID: 4100373531-0
                                                              • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                              • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                              • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                              • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                              Executed Functions

                                                              Function 01252788 Relevance: 2.0, Instructions: 1994COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cf4d835fd38416ca576141cf6600fb53ef86e275117f65d0c630af7f399755c
                                                              • Instruction ID: 35236d4ee2b0c82738727d52fb38a8c7b419f83ab88fdf5af99de73a71b5d0f2
                                                              • Opcode Fuzzy Hash: 5cf4d835fd38416ca576141cf6600fb53ef86e275117f65d0c630af7f399755c
                                                              • Instruction Fuzzy Hash: D103CE30A10319DFDB26EFA8CC44BA9B7B6FF89700F518195E6086B295DB706EC1DB50
                                                              Function 01255A41 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq
                                                              • API String ID: 0-12477121
                                                              • Opcode ID: 1cd0e621f236a71690a78b10da84914fddc9560c1994f0cd5d8bf8f05df72ff5
                                                              • Instruction ID: 804321826ce7f1fac2a4945b12b1453f77a3558eb29c9b596cc7490251ca2680
                                                              • Opcode Fuzzy Hash: 1cd0e621f236a71690a78b10da84914fddc9560c1994f0cd5d8bf8f05df72ff5
                                                              • Instruction Fuzzy Hash: 39F1AD31B11206DFDB64DF68D984B6EBBF2BF85311F148429E9059B299DB34EC42CB90
                                                              Function 012517C8 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (jq$Hjq
                                                              • API String ID: 0-2151573235
                                                              • Opcode ID: 61af9e7457f9a6a1c4b222b3aadeafa8142ae4bc4533e15a1518be8f859d15be
                                                              • Instruction ID: 940a0ab6aa28fc3a9f5c917d2eae964705f2c4abd4ac53812d2684986667fa23
                                                              • Opcode Fuzzy Hash: 61af9e7457f9a6a1c4b222b3aadeafa8142ae4bc4533e15a1518be8f859d15be
                                                              • Instruction Fuzzy Hash: 1851C131E002489FDB59DFB998146FEBFB2EF85310F0480BAD559E7291EB344916CB91
                                                              Function 01251CC0 Relevance: 2.6, Strings: 2, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq$$fq
                                                              • API String ID: 0-2537786760
                                                              • Opcode ID: 036477c6ba9037851a0de8d85d2a46649d9b9955cc477f946499684636e3a0df
                                                              • Instruction ID: 33ee9e5d015e8c2692e3d9ae69f1860f19a728c6cf4b0ffcaa50bad62f229bf8
                                                              • Opcode Fuzzy Hash: 036477c6ba9037851a0de8d85d2a46649d9b9955cc477f946499684636e3a0df
                                                              • Instruction Fuzzy Hash: E941D234B101498FCB49EF28E484AAA7BF7FF85300710C569E415CB269EB309D46CF61
                                                              Function 01254C68 Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `Qfq
                                                              • API String ID: 0-1673126163
                                                              • Opcode ID: fe19808837f973dac9fbe6c167d498a7762d6cb8dfc48f6ac8ea80b9b7770b1b
                                                              • Instruction ID: 2514e4dc73162b347f458f2473f4d4fb281df88f6a2ca626bcf091da2ead7653
                                                              • Opcode Fuzzy Hash: fe19808837f973dac9fbe6c167d498a7762d6cb8dfc48f6ac8ea80b9b7770b1b
                                                              • Instruction Fuzzy Hash: 8D21DF70A182858FDB19EBA9C4997AEBFF6BF89300F544029D901E7285DB349D44CBA0
                                                              Function 01250848 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq
                                                              • API String ID: 0-2007657732
                                                              • Opcode ID: 08bf5b556e55bef8478a1a3ebea4f75c3b9d35e6fa9e933ef7c1224db851ee96
                                                              • Instruction ID: 902860a5b6946f503fddcecb2f690fbe34c531815cf760cb93ab3c82ed86c89b
                                                              • Opcode Fuzzy Hash: 08bf5b556e55bef8478a1a3ebea4f75c3b9d35e6fa9e933ef7c1224db851ee96
                                                              • Instruction Fuzzy Hash: 6641A270A002499FCB45EBBCE8947AE7BB2FF84300F109469E505AB399EF709D45CB95
                                                              Function 01251CB2 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq
                                                              • API String ID: 0-12477121
                                                              • Opcode ID: 2295ade0282461027b1c046489f3631e2a0410423a224e181651915d13e55106
                                                              • Instruction ID: 3b20e251affe4cb48da3f63f65322a26fb3100b88800ad575195624a85d5044f
                                                              • Opcode Fuzzy Hash: 2295ade0282461027b1c046489f3631e2a0410423a224e181651915d13e55106
                                                              • Instruction Fuzzy Hash: 6641B274A101099FCB49EF28E484AAEBBF7FF85301B118569E415CB369EB30AD05CF60
                                                              Function 01251B68 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPfq
                                                              • API String ID: 0-3170913260
                                                              • Opcode ID: 8f2cb281877080003706501788a8f2e5fd362621b1984db7c4f1c1a20d01dffd
                                                              • Instruction ID: 94da1f8c67d78e55f8252a52d053fe3fc71a2b4d3b4c88784e5b8559276b9a3d
                                                              • Opcode Fuzzy Hash: 8f2cb281877080003706501788a8f2e5fd362621b1984db7c4f1c1a20d01dffd
                                                              • Instruction Fuzzy Hash: C6316E70B10215CFCB48EF78D589A6DBBB2AF45701B1144A8E906DF3A6EB35DC02CB90
                                                              Function 01250838 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq
                                                              • API String ID: 0-2007657732
                                                              • Opcode ID: bb686845e7bd5fa1c713dc9b36ed934598209c4a39a7ce50e02f538aaced4b30
                                                              • Instruction ID: c500dc76cec615098d18477f309cd6c08590ad574db07eb56f47cedc16d532e9
                                                              • Opcode Fuzzy Hash: bb686845e7bd5fa1c713dc9b36ed934598209c4a39a7ce50e02f538aaced4b30
                                                              • Instruction Fuzzy Hash: CD31A2709102499FCB45EFA8E4D4BDDBFB2FF84304F009529E100AB259EB709D89CB56
                                                              Function 01251B78 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPfq
                                                              • API String ID: 0-3170913260
                                                              • Opcode ID: 74b5b531690509486363f71a5d5a431c175498efd48ae1240b6dde4f259a9191
                                                              • Instruction ID: cbeec6b8c37bdf6e7b50791d011c5d39ec20ee68e4b17265df61c59f2d12ceb4
                                                              • Opcode Fuzzy Hash: 74b5b531690509486363f71a5d5a431c175498efd48ae1240b6dde4f259a9191
                                                              • Instruction Fuzzy Hash: FC210970B001168FCB48EFB8D59896D7BB2AF49711B2144A9D906DF3B5DA35EC01CB81
                                                              Function 01254F48 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `Qfq
                                                              • API String ID: 0-1673126163
                                                              • Opcode ID: 86a8506c7cc4b23834f8015c91a3846775050f128cdb05364d1f8872d151212e
                                                              • Instruction ID: 7ab994dfedfd0fa034b70814ce81ba0dafd0e981a048b35e82b7fd62d2c76c6a
                                                              • Opcode Fuzzy Hash: 86a8506c7cc4b23834f8015c91a3846775050f128cdb05364d1f8872d151212e
                                                              • Instruction Fuzzy Hash: AE119370A142958BDB18EBAAC5597AEBBF6BF89300F504029D901E7385DF349D409BA0
                                                              Function 01254868 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03450038af221ea7a111072898884b6064127085e48a7a2d8bb8e43ebdfbae8c
                                                              • Instruction ID: 209823fa70caa98296a99dc2be1798c5c7366470e9e08b9a2c750ed39ffb9f80
                                                              • Opcode Fuzzy Hash: 03450038af221ea7a111072898884b6064127085e48a7a2d8bb8e43ebdfbae8c
                                                              • Instruction Fuzzy Hash: 4AA13530600646CFCB55EF28C4C4A69BBF6EF44350F4AC5A9E8499B666E730FD84CB84
                                                              Function 01251062 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 029845b569e69fa7d4c57476546e10f94573d90e5ca59c4e0bd2a44c0a351e22
                                                              • Instruction ID: 7109e5cfaee90d410e4e92d1ec062b0bd71d7ca61c9f5ad1721ff310e2f9043d
                                                              • Opcode Fuzzy Hash: 029845b569e69fa7d4c57476546e10f94573d90e5ca59c4e0bd2a44c0a351e22
                                                              • Instruction Fuzzy Hash: 56916D75E002089FCB19DFE5D944AEEBBBABF89300F14812AE915E7258DB319D46CF50
                                                              Function 01255E28 Relevance: .2, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53e243448e92ced19aedf71314c8788ef2fcdaca86b9f3c58b5d747aade472db
                                                              • Instruction ID: 73ecc3103ca0b5c03ec2b4f20eb769572dd0c1789f23a43787b4f6a1b584ff82
                                                              • Opcode Fuzzy Hash: 53e243448e92ced19aedf71314c8788ef2fcdaca86b9f3c58b5d747aade472db
                                                              • Instruction Fuzzy Hash: ED618931B102199FDB54DF68D984BAEBBF2BF89710F148029E905EB295CB349C41CBA0
                                                              Function 01252777 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1ab615f4a72f398e5a83f1c9dd53ff19fb6fedf3974d3474fe23e1ea6f262a
                                                              • Instruction ID: b60185ff1b5af088f09d4db82b30437b76f40bfe79e6c102352bf3c717a7fa94
                                                              • Opcode Fuzzy Hash: 6a1ab615f4a72f398e5a83f1c9dd53ff19fb6fedf3974d3474fe23e1ea6f262a
                                                              • Instruction Fuzzy Hash: 5A31A030A20205CFD769CFA9D988BB97BF6EF45312F4584A9E915CB1D2D735D880CB60
                                                              Function 01256060 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 066109198bf003b0fd5308ba7ab8d4a752d33a65dad3345474c69b3bb58a1f50
                                                              • Instruction ID: cf2fdd17ee0d79276dfa2e8edb3fa397ce62745aee30419ccdefe634236ca5fc
                                                              • Opcode Fuzzy Hash: 066109198bf003b0fd5308ba7ab8d4a752d33a65dad3345474c69b3bb58a1f50
                                                              • Instruction Fuzzy Hash: 7F11E1B2E003489FCBA9DF7C98887AE7FB6EFD5324F5141AED0159B242DB7148028B50
                                                              Function 01255218 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36bb8f03c2a49c5d84f16313e9f30ac59c3a9543c7e10ab9dc7556b3f27165ba
                                                              • Instruction ID: 655fcf1e76bb36e23e782024330c4478a9896bba7a39dd45fd71422d954db5ea
                                                              • Opcode Fuzzy Hash: 36bb8f03c2a49c5d84f16313e9f30ac59c3a9543c7e10ab9dc7556b3f27165ba
                                                              • Instruction Fuzzy Hash: 7101F9B2B501308FC7199F3DE44492A77E6AFD972132641BAE805DB375CA31DC028B90
                                                              Function 01255228 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63b0d9a8d547ac8d2f982035147d942c7ebc56576e20c111212e056e227240c9
                                                              • Instruction ID: 1504e0ab92d278572c831a480d40e25a03dd6e55a3d0614974c3add06690fa7b
                                                              • Opcode Fuzzy Hash: 63b0d9a8d547ac8d2f982035147d942c7ebc56576e20c111212e056e227240c9
                                                              • Instruction Fuzzy Hash: E0F062767201308FC718AB7DE44491A77EAAF8AA6532501B9E805DB335CE71EC019BA0
                                                              Function 01250A98 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6850e028e720a3b8cf80ae13e4c4bc4d62f26b878102c4145e70acb6bc45c5b
                                                              • Instruction ID: d8d249438d2dddb6d0d5e15a353344bce3a83cf6f56d25a1913a0d49f49c40ff
                                                              • Opcode Fuzzy Hash: c6850e028e720a3b8cf80ae13e4c4bc4d62f26b878102c4145e70acb6bc45c5b
                                                              • Instruction Fuzzy Hash: F701D6397143528FD7586B74E9A93693B75BB82350F0400BDAB06C32A9DEB9CC81CB50
                                                              Function 01250AA8 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfda18b0993ab15215cc41fa0bf2ef63ea70ac615eed8bc6214721a952adfd1f
                                                              • Instruction ID: 20b7872ec8cab77e256b4ad3fc31f529d567bd432b9ce93bf3cb27c78b32c871
                                                              • Opcode Fuzzy Hash: dfda18b0993ab15215cc41fa0bf2ef63ea70ac615eed8bc6214721a952adfd1f
                                                              • Instruction Fuzzy Hash: 2AF0BB397142528BD7586B74EDA832A3B6AB745750F440578AF06C33D8DEB9DC80C790
                                                              Function 01254B34 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19a0e98ba66c99e18a192aa627d5e2e960149d46b257ecf7f38308982ae34598
                                                              • Instruction ID: 78198e1f564bf6bfcddb0a0f26d65ba8e380eb100366e9ded6fea7223aaed047
                                                              • Opcode Fuzzy Hash: 19a0e98ba66c99e18a192aa627d5e2e960149d46b257ecf7f38308982ae34598
                                                              • Instruction Fuzzy Hash: 40F02471D09384EFCB05EBF5A8990ECBFB1EF81204B0480DAD15687125FA744645CB50
                                                              Function 01255139 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da55501731864d2b61c95e322246d0b9b70fe767bc4768b728e4700c8409f0d7
                                                              • Instruction ID: 1c3682efd3e7064dc86c373c32188446e30bdc9a9c18705571901b57cb82a6e4
                                                              • Opcode Fuzzy Hash: da55501731864d2b61c95e322246d0b9b70fe767bc4768b728e4700c8409f0d7
                                                              • Instruction Fuzzy Hash: B1F082727016045FC719DE29F49899EBBA6FFD9321B55813AA40AC3369EA358C06C750
                                                              Function 01255148 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b915b4a072d14c082e485486c2cb9625e95f02335bb5f831490daef81c94b262
                                                              • Instruction ID: b25b0345e8402495d9a7e0a07570f9aaeed59132d48e3bb4f02f5fa00e28424d
                                                              • Opcode Fuzzy Hash: b915b4a072d14c082e485486c2cb9625e95f02335bb5f831490daef81c94b262
                                                              • Instruction Fuzzy Hash: AFE092353012089FC718EA29F89895ABFBAFFC93617508439E51AC332DEE359C05C7A0
                                                              Function 012513B0 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 134a14694a131928ece0cbd7e2b5eaf8ed5f343165d67d0584174621bb9255a2
                                                              • Instruction ID: cc59b2170186439aec4787a1e95c3412849581223a3297778cad327470a06a3d
                                                              • Opcode Fuzzy Hash: 134a14694a131928ece0cbd7e2b5eaf8ed5f343165d67d0584174621bb9255a2
                                                              • Instruction Fuzzy Hash: 09F0F4B4600246CFCB18EF64D198A287BB2FF89718F104468E8069F3A9CB79DC01DF00
                                                              Function 01250F70 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b66ef1eb5cee510cddc69a1d9e05a2500f66e48c3b0a2fc6aa11bcffc4f958d
                                                              • Instruction ID: 8b8a7c33391ad887137a4bbe17de6b2e7ec8315af631f5d2254314ff406b02e5
                                                              • Opcode Fuzzy Hash: 0b66ef1eb5cee510cddc69a1d9e05a2500f66e48c3b0a2fc6aa11bcffc4f958d
                                                              • Instruction Fuzzy Hash: 67E05B3193D3514FC7915979AD9165137DC9B13714B0108B7FD85C7262E5519C0487D9
                                                              Function 01250F28 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e521add056b9f4a8f1f0733a4c9cc4f6493a64b5c4300ccd73cf02a2e2df994c
                                                              • Instruction ID: 0df84074ea116a09cc17e28a80b0e2af9c4cbc3cca095be77c97b9115d22d0ca
                                                              • Opcode Fuzzy Hash: e521add056b9f4a8f1f0733a4c9cc4f6493a64b5c4300ccd73cf02a2e2df994c
                                                              • Instruction Fuzzy Hash: FCE04F71A4414CAFCB05EFE4E9566AC7FB5EB55308F1145A9D808E7252EA314E009B41
                                                              Function 01250F38 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1684828858.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1250000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d4319a73e2759dd09a5febcacb699b038bf218d895fe43581deb6efedbf1c57
                                                              • Instruction ID: 98424ed1f002b7b4e4b99afec96f840f35dcb4c4f08dafc581228d435a28300a
                                                              • Opcode Fuzzy Hash: 8d4319a73e2759dd09a5febcacb699b038bf218d895fe43581deb6efedbf1c57
                                                              • Instruction Fuzzy Hash: 7DD01770A0010CEFCB04EFA8EA4556DBBF9EB45308B1085A9A408E7204EA316F00AB91

                                                              Execution Graph

                                                              Execution Coverage:12.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:214
                                                              Total number of Limit Nodes:16
                                                              execution_graph 33464 14bd688 DuplicateHandle 33465 14bd71e 33464->33465 33619 14b4668 33620 14b467a 33619->33620 33621 14b4686 33620->33621 33625 14b4778 33620->33625 33630 14b3e0c 33621->33630 33623 14b46a5 33626 14b479d 33625->33626 33634 14b4879 33626->33634 33639 14b4888 33626->33639 33631 14b3e17 33630->33631 33647 14b5c84 33631->33647 33633 14b7048 33633->33623 33635 14b47a7 33634->33635 33637 14b4887 33634->33637 33635->33621 33636 14b498c 33636->33636 33637->33636 33643 14b4514 33637->33643 33641 14b48af 33639->33641 33640 14b498c 33640->33640 33641->33640 33642 14b4514 CreateActCtxA 33641->33642 33642->33640 33644 14b5918 CreateActCtxA 33643->33644 33646 14b59db 33644->33646 33648 14b5c8f 33647->33648 33651 14b5ca4 33648->33651 33650 14b70ed 33650->33633 33652 14b5caf 33651->33652 33655 14b5cd4 33652->33655 33654 14b71c2 33654->33650 33656 14b5cdf 33655->33656 33659 14b5d04 33656->33659 33658 14b72c5 33658->33654 33660 14b5d0f 33659->33660 33661 14b8609 33660->33661 33663 14bcd60 33660->33663 33661->33658 33665 14bcd91 33663->33665 33664 14bcdb5 33664->33661 33665->33664 33668 14bd319 33665->33668 33672 14bd328 33665->33672 33669 14bd328 33668->33669 33671 14bd36f 33669->33671 33676 14bcf14 33669->33676 33671->33664 33673 14bd335 33672->33673 33674 14bd36f 33673->33674 33675 14bcf14 2 API calls 33673->33675 33674->33664 33675->33674 33677 14bcf1f 33676->33677 33679 14bdc80 33677->33679 33680 14bd03c 33677->33680 33679->33679 33681 14bd047 33680->33681 33682 14b5d04 2 API calls 33681->33682 33683 14bdcef 33682->33683 33687 14bfa50 33683->33687 33692 14bfa68 33683->33692 33684 14bdd29 33684->33679 33688 14bfa99 33687->33688 33689 14bfaa5 33687->33689 33688->33689 33690 31d09b0 CreateWindowExW CreateWindowExW 33688->33690 33691 31d09c0 CreateWindowExW CreateWindowExW 33688->33691 33689->33684 33690->33689 33691->33689 33693 14bfaa5 33692->33693 33694 14bfa99 33692->33694 33693->33684 33694->33693 33695 31d09b0 CreateWindowExW CreateWindowExW 33694->33695 33696 31d09c0 CreateWindowExW CreateWindowExW 33694->33696 33695->33693 33696->33693 33697 31d8db8 33698 31d8de5 33697->33698 33701 31d89a4 33698->33701 33700 31d8e69 33702 31d89af 33701->33702 33705 14b5cd4 2 API calls 33702->33705 33706 14b7210 33702->33706 33703 31de9e4 33703->33700 33705->33703 33707 14b7253 33706->33707 33708 14b5d04 2 API calls 33707->33708 33709 14b72c5 33708->33709 33709->33703 33466 7527258 33467 75273e3 33466->33467 33469 752727e 33466->33469 33469->33467 33470 7522510 33469->33470 33471 75278e0 PostMessageW 33470->33471 33472 752794c 33471->33472 33472->33469 33473 14bd440 33474 14bd486 GetCurrentProcess 33473->33474 33476 14bd4d8 GetCurrentThread 33474->33476 33477 14bd4d1 33474->33477 33478 14bd50e 33476->33478 33479 14bd515 GetCurrentProcess 33476->33479 33477->33476 33478->33479 33482 14bd54b 33479->33482 33480 14bd573 GetCurrentThreadId 33481 14bd5a4 33480->33481 33482->33480 33710 14bacb0 33711 14bacbf 33710->33711 33714 14bad99 33710->33714 33722 14bada8 33710->33722 33715 14badb9 33714->33715 33716 14baddc 33714->33716 33715->33716 33730 14bb031 33715->33730 33734 14bb040 33715->33734 33716->33711 33717 14badd4 33717->33716 33718 14bafe0 GetModuleHandleW 33717->33718 33719 14bb00d 33718->33719 33719->33711 33723 14badb9 33722->33723 33725 14baddc 33722->33725 33723->33725 33728 14bb031 LoadLibraryExW 33723->33728 33729 14bb040 LoadLibraryExW 33723->33729 33724 14badd4 33724->33725 33726 14bafe0 GetModuleHandleW 33724->33726 33725->33711 33727 14bb00d 33726->33727 33727->33711 33728->33724 33729->33724 33732 14bb040 33730->33732 33731 14bb079 33731->33717 33732->33731 33738 14ba188 33732->33738 33735 14bb054 33734->33735 33736 14bb079 33735->33736 33737 14ba188 LoadLibraryExW 33735->33737 33736->33717 33737->33736 33739 14bb620 LoadLibraryExW 33738->33739 33741 14bb699 33739->33741 33741->33731 33487 75260ce 33488 75260d1 33487->33488 33489 752605c 33487->33489 33490 752608a 33489->33490 33506 7526c2a 33489->33506 33511 7526864 33489->33511 33515 7526b66 33489->33515 33519 7526541 33489->33519 33524 7526d20 33489->33524 33528 7526743 33489->33528 33533 7526a3f 33489->33533 33538 7526c3e 33489->33538 33542 7526599 33489->33542 33546 752661a 33489->33546 33551 7526755 33489->33551 33555 75264d1 33489->33555 33560 75268d0 33489->33560 33564 75266b0 33489->33564 33569 752656e 33489->33569 33507 7526643 33506->33507 33508 7526658 33506->33508 33574 7523560 33507->33574 33578 7523558 33507->33578 33508->33490 33582 7523610 33511->33582 33586 7523608 33511->33586 33512 752687e 33512->33490 33590 7523b20 33515->33590 33594 7523b19 33515->33594 33516 7526b84 33520 75264d5 33519->33520 33599 7523e68 33520->33599 33603 7523e5c 33520->33603 33525 7526c3d 33524->33525 33525->33524 33526 7523610 Wow64SetThreadContext 33525->33526 33527 7523608 Wow64SetThreadContext 33525->33527 33526->33525 33527->33525 33529 7526970 33528->33529 33607 7523be0 33529->33607 33611 7523bd9 33529->33611 33530 75264b4 33530->33490 33534 7526970 33533->33534 33535 75264b4 33534->33535 33536 7523be0 WriteProcessMemory 33534->33536 33537 7523bd9 WriteProcessMemory 33534->33537 33535->33490 33536->33535 33537->33535 33540 7523610 Wow64SetThreadContext 33538->33540 33541 7523608 Wow64SetThreadContext 33538->33541 33539 7526c3d 33539->33538 33540->33539 33541->33539 33543 75265d6 33542->33543 33544 7523e68 CreateProcessA 33542->33544 33545 7523e5c CreateProcessA 33542->33545 33543->33490 33544->33543 33545->33543 33547 7526643 33546->33547 33549 7523560 ResumeThread 33547->33549 33550 7523558 ResumeThread 33547->33550 33548 7526658 33548->33490 33549->33548 33550->33548 33552 7526d32 33551->33552 33553 75267c4 33552->33553 33615 7523cd0 33552->33615 33553->33490 33556 75264d5 33555->33556 33558 7523e68 CreateProcessA 33556->33558 33559 7523e5c CreateProcessA 33556->33559 33557 75265d6 33557->33490 33558->33557 33559->33557 33562 7523be0 WriteProcessMemory 33560->33562 33563 7523bd9 WriteProcessMemory 33560->33563 33561 75268fe 33561->33490 33562->33561 33563->33561 33565 75266c7 33564->33565 33567 7523be0 WriteProcessMemory 33565->33567 33568 7523bd9 WriteProcessMemory 33565->33568 33566 7526dfb 33567->33566 33568->33566 33570 75264d5 33569->33570 33572 7523e68 CreateProcessA 33570->33572 33573 7523e5c CreateProcessA 33570->33573 33571 75265d6 33571->33490 33572->33571 33573->33571 33575 75235a0 ResumeThread 33574->33575 33577 75235d1 33575->33577 33577->33508 33579 752355d ResumeThread 33578->33579 33581 75235d1 33579->33581 33581->33508 33583 7523655 Wow64SetThreadContext 33582->33583 33585 752369d 33583->33585 33585->33512 33587 7523655 Wow64SetThreadContext 33586->33587 33589 752369d 33587->33589 33589->33512 33591 7523b60 VirtualAllocEx 33590->33591 33593 7523b9d 33591->33593 33593->33516 33595 7523b1e VirtualAllocEx 33594->33595 33596 7523acb 33594->33596 33598 7523b9d 33595->33598 33596->33516 33598->33516 33600 7523ef1 33599->33600 33600->33600 33601 7524056 CreateProcessA 33600->33601 33602 75240b3 33601->33602 33604 7523e68 33603->33604 33604->33604 33605 7524056 CreateProcessA 33604->33605 33606 75240b3 33605->33606 33608 7523c28 WriteProcessMemory 33607->33608 33610 7523c7f 33608->33610 33610->33530 33612 7523be0 WriteProcessMemory 33611->33612 33614 7523c7f 33612->33614 33614->33530 33616 7523d1b ReadProcessMemory 33615->33616 33618 7523d5d 33616->33618 33618->33552 33483 31d4050 33484 31d4092 33483->33484 33486 31d4099 33483->33486 33485 31d40ea CallWindowProcW 33484->33485 33484->33486 33485->33486

                                                              Executed Functions

                                                              Function 014BD430 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 295 14bd430-14bd4cf GetCurrentProcess 299 14bd4d8-14bd50c GetCurrentThread 295->299 300 14bd4d1-14bd4d7 295->300 301 14bd50e-14bd514 299->301 302 14bd515-14bd549 GetCurrentProcess 299->302 300->299 301->302 303 14bd54b-14bd551 302->303 304 14bd552-14bd56d call 14bd60f 302->304 303->304 308 14bd573-14bd5a2 GetCurrentThreadId 304->308 309 14bd5ab-14bd60d 308->309 310 14bd5a4-14bd5aa 308->310 310->309
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 014BD4BE
                                                              • GetCurrentThread.KERNEL32 ref: 014BD4FB
                                                              • GetCurrentProcess.KERNEL32 ref: 014BD538
                                                              • GetCurrentThreadId.KERNEL32 ref: 014BD591
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 75854cca9e6cea838386378ef6b1ec4c0919f12ef8e40935f2838d7132f210cd
                                                              • Instruction ID: 145269b900d4cc84a6038dbcd8bf04a93a8800e33c52c95723b783cdaed6a6cd
                                                              • Opcode Fuzzy Hash: 75854cca9e6cea838386378ef6b1ec4c0919f12ef8e40935f2838d7132f210cd
                                                              • Instruction Fuzzy Hash: 895147B0D012498FDB24CFA9D588BDEBFF1AF88318F24845AE019A7360DB345A44CF65
                                                              Function 014BD440 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 317 14bd440-14bd4cf GetCurrentProcess 321 14bd4d8-14bd50c GetCurrentThread 317->321 322 14bd4d1-14bd4d7 317->322 323 14bd50e-14bd514 321->323 324 14bd515-14bd549 GetCurrentProcess 321->324 322->321 323->324 325 14bd54b-14bd551 324->325 326 14bd552-14bd56d call 14bd60f 324->326 325->326 330 14bd573-14bd5a2 GetCurrentThreadId 326->330 331 14bd5ab-14bd60d 330->331 332 14bd5a4-14bd5aa 330->332 332->331
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 014BD4BE
                                                              • GetCurrentThread.KERNEL32 ref: 014BD4FB
                                                              • GetCurrentProcess.KERNEL32 ref: 014BD538
                                                              • GetCurrentThreadId.KERNEL32 ref: 014BD591
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 6dbd7760c6541bb98e17c97b0f9109f48ffad6f326c42e9e37da3002d5b044d2
                                                              • Instruction ID: 1f1accb7d097b3717f84bde4d88ce526ba009259ed0dc7cb44b4bfa033e74486
                                                              • Opcode Fuzzy Hash: 6dbd7760c6541bb98e17c97b0f9109f48ffad6f326c42e9e37da3002d5b044d2
                                                              • Instruction Fuzzy Hash: 485136B0D002498FDB24CFA9D588BDEBFF5AF48318F24845AE519A7360DB34A944CF65
                                                              Function 07523E5C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2824 7523e5c-7523efd 2827 7523f36-7523f56 2824->2827 2828 7523eff-7523f09 2824->2828 2833 7523f58-7523f62 2827->2833 2834 7523f8f-7523fbe 2827->2834 2828->2827 2829 7523f0b-7523f0d 2828->2829 2831 7523f30-7523f33 2829->2831 2832 7523f0f-7523f19 2829->2832 2831->2827 2835 7523f1b 2832->2835 2836 7523f1d-7523f2c 2832->2836 2833->2834 2838 7523f64-7523f66 2833->2838 2842 7523fc0-7523fca 2834->2842 2843 7523ff7-75240b1 CreateProcessA 2834->2843 2835->2836 2836->2836 2837 7523f2e 2836->2837 2837->2831 2839 7523f68-7523f72 2838->2839 2840 7523f89-7523f8c 2838->2840 2844 7523f76-7523f85 2839->2844 2845 7523f74 2839->2845 2840->2834 2842->2843 2846 7523fcc-7523fce 2842->2846 2856 75240b3-75240b9 2843->2856 2857 75240ba-7524140 2843->2857 2844->2844 2847 7523f87 2844->2847 2845->2844 2848 7523fd0-7523fda 2846->2848 2849 7523ff1-7523ff4 2846->2849 2847->2840 2851 7523fde-7523fed 2848->2851 2852 7523fdc 2848->2852 2849->2843 2851->2851 2853 7523fef 2851->2853 2852->2851 2853->2849 2856->2857 2867 7524142-7524146 2857->2867 2868 7524150-7524154 2857->2868 2867->2868 2869 7524148 2867->2869 2870 7524156-752415a 2868->2870 2871 7524164-7524168 2868->2871 2869->2868 2870->2871 2872 752415c 2870->2872 2873 752416a-752416e 2871->2873 2874 7524178-752417c 2871->2874 2872->2871 2873->2874 2877 7524170 2873->2877 2875 752418e-7524195 2874->2875 2876 752417e-7524184 2874->2876 2878 7524197-75241a6 2875->2878 2879 75241ac 2875->2879 2876->2875 2877->2874 2878->2879 2881 75241ad 2879->2881 2881->2881
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0752409E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: ded31ab8df684765668e5e81e3474d0ce865e13926ed1d8d0a96c81af0d3e149
                                                              • Instruction ID: be3c5b0bc4ee4931a335e700e9bf3fb2280469f1bde925a5c4f0e8b91d7dc470
                                                              • Opcode Fuzzy Hash: ded31ab8df684765668e5e81e3474d0ce865e13926ed1d8d0a96c81af0d3e149
                                                              • Instruction Fuzzy Hash: BDA160B1D0026ADFDF24CF68D8417DDBBB2BF45310F14816AD808A7290D7749986DF91
                                                              Function 07523E68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2882 7523e68-7523efd 2884 7523f36-7523f56 2882->2884 2885 7523eff-7523f09 2882->2885 2890 7523f58-7523f62 2884->2890 2891 7523f8f-7523fbe 2884->2891 2885->2884 2886 7523f0b-7523f0d 2885->2886 2888 7523f30-7523f33 2886->2888 2889 7523f0f-7523f19 2886->2889 2888->2884 2892 7523f1b 2889->2892 2893 7523f1d-7523f2c 2889->2893 2890->2891 2895 7523f64-7523f66 2890->2895 2899 7523fc0-7523fca 2891->2899 2900 7523ff7-75240b1 CreateProcessA 2891->2900 2892->2893 2893->2893 2894 7523f2e 2893->2894 2894->2888 2896 7523f68-7523f72 2895->2896 2897 7523f89-7523f8c 2895->2897 2901 7523f76-7523f85 2896->2901 2902 7523f74 2896->2902 2897->2891 2899->2900 2903 7523fcc-7523fce 2899->2903 2913 75240b3-75240b9 2900->2913 2914 75240ba-7524140 2900->2914 2901->2901 2904 7523f87 2901->2904 2902->2901 2905 7523fd0-7523fda 2903->2905 2906 7523ff1-7523ff4 2903->2906 2904->2897 2908 7523fde-7523fed 2905->2908 2909 7523fdc 2905->2909 2906->2900 2908->2908 2910 7523fef 2908->2910 2909->2908 2910->2906 2913->2914 2924 7524142-7524146 2914->2924 2925 7524150-7524154 2914->2925 2924->2925 2926 7524148 2924->2926 2927 7524156-752415a 2925->2927 2928 7524164-7524168 2925->2928 2926->2925 2927->2928 2929 752415c 2927->2929 2930 752416a-752416e 2928->2930 2931 7524178-752417c 2928->2931 2929->2928 2930->2931 2934 7524170 2930->2934 2932 752418e-7524195 2931->2932 2933 752417e-7524184 2931->2933 2935 7524197-75241a6 2932->2935 2936 75241ac 2932->2936 2933->2932 2934->2931 2935->2936 2938 75241ad 2936->2938 2938->2938
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0752409E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 037e6a52c8b67ece1081809520abfd89b0fcb1afec6cc3f174201a260d4cce57
                                                              • Instruction ID: 485d34e7fe14c38cbf4de18dc06d65b917b232a1829278dbeb408eb74acdecc5
                                                              • Opcode Fuzzy Hash: 037e6a52c8b67ece1081809520abfd89b0fcb1afec6cc3f174201a260d4cce57
                                                              • Instruction Fuzzy Hash: 37916EB1D0026ADFDF24CF68D8417DDBBB2BF49310F14816AE809A7290D7789986DF91
                                                              Function 014BADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2939 14bada8-14badb7 2940 14badb9-14badc6 call 14ba120 2939->2940 2941 14bade3-14bade7 2939->2941 2948 14badc8 2940->2948 2949 14baddc 2940->2949 2942 14badfb-14bae3c 2941->2942 2943 14bade9-14badf3 2941->2943 2950 14bae49-14bae57 2942->2950 2951 14bae3e-14bae46 2942->2951 2943->2942 2994 14badce call 14bb031 2948->2994 2995 14badce call 14bb040 2948->2995 2949->2941 2952 14bae7b-14bae7d 2950->2952 2953 14bae59-14bae5e 2950->2953 2951->2950 2956 14bae80-14bae87 2952->2956 2957 14bae69 2953->2957 2958 14bae60-14bae67 call 14ba12c 2953->2958 2954 14badd4-14badd6 2954->2949 2955 14baf18-14bafd8 2954->2955 2989 14bafda-14bafdd 2955->2989 2990 14bafe0-14bb00b GetModuleHandleW 2955->2990 2959 14bae89-14bae91 2956->2959 2960 14bae94-14bae9b 2956->2960 2961 14bae6b-14bae79 2957->2961 2958->2961 2959->2960 2963 14baea8-14baeb1 call 14ba13c 2960->2963 2964 14bae9d-14baea5 2960->2964 2961->2956 2970 14baebe-14baec3 2963->2970 2971 14baeb3-14baebb 2963->2971 2964->2963 2972 14baee1-14baeee 2970->2972 2973 14baec5-14baecc 2970->2973 2971->2970 2979 14baf11-14baf17 2972->2979 2980 14baef0-14baf0e 2972->2980 2973->2972 2975 14baece-14baede call 14ba14c call 14ba15c 2973->2975 2975->2972 2980->2979 2989->2990 2991 14bb00d-14bb013 2990->2991 2992 14bb014-14bb028 2990->2992 2991->2992 2994->2954 2995->2954
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 014BAFFE
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 3a7d1eefb0993a37b582de9340020b9d0169aff1e280f83dfc0ff566b07879e6
                                                              • Instruction ID: 664bc3325e4a80adec1a2f80e3baf9b4b210be7420d6e5fb69b09f9935279fa0
                                                              • Opcode Fuzzy Hash: 3a7d1eefb0993a37b582de9340020b9d0169aff1e280f83dfc0ff566b07879e6
                                                              • Instruction Fuzzy Hash: 72812570A00B058FD764DF2AD48479ABBF1FF88214F108A2ED586D7B60DB35E945CBA1
                                                              Function 031D18E4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2996 31d18e4-31d1956 2997 31d1958-31d195e 2996->2997 2998 31d1961-31d1968 2996->2998 2997->2998 2999 31d196a-31d1970 2998->2999 3000 31d1973-31d1a12 CreateWindowExW 2998->3000 2999->3000 3002 31d1a1b-31d1a53 3000->3002 3003 31d1a14-31d1a1a 3000->3003 3007 31d1a55-31d1a58 3002->3007 3008 31d1a60 3002->3008 3003->3002 3007->3008 3009 31d1a61 3008->3009 3009->3009
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031D1A02
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1747836538.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_31d0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 34a50b801126b3e0b60bbb1eaef80d3e36d64140b2ea97531165913bf7f6576d
                                                              • Instruction ID: 8ac405acab6766ba27e5d6ac1a0acbf8f8667b8620c19a61c8f371569518468a
                                                              • Opcode Fuzzy Hash: 34a50b801126b3e0b60bbb1eaef80d3e36d64140b2ea97531165913bf7f6576d
                                                              • Instruction Fuzzy Hash: 8751B0B1D00349AFDB14CF99C984ADEFBB5BF88314F24912AE819AB210D7759985CF90
                                                              Function 031D18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3010 31d18f0-31d1956 3011 31d1958-31d195e 3010->3011 3012 31d1961-31d1968 3010->3012 3011->3012 3013 31d196a-31d1970 3012->3013 3014 31d1973-31d1a12 CreateWindowExW 3012->3014 3013->3014 3016 31d1a1b-31d1a53 3014->3016 3017 31d1a14-31d1a1a 3014->3017 3021 31d1a55-31d1a58 3016->3021 3022 31d1a60 3016->3022 3017->3016 3021->3022 3023 31d1a61 3022->3023 3023->3023
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031D1A02
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1747836538.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_31d0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 4fb854922d17818857cce460570e7b8c7adba7224af5b9f6c63cabe8b689eef9
                                                              • Instruction ID: a449a6e16c49f046174a369b7233871ad3fc0bced0439cae02dbf27f604554fc
                                                              • Opcode Fuzzy Hash: 4fb854922d17818857cce460570e7b8c7adba7224af5b9f6c63cabe8b689eef9
                                                              • Instruction Fuzzy Hash: 6541B0B1D00349AFDB14CF99C984ADEFBB5BF48310F24912AE819AB210D7759985CF90
                                                              Function 014B5A84 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3024 14b5a84-14b5b14
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 645fed00c6e91607e3efc3f8d7c7d3ea7531bfeee106fc6cea76dc1b99806549
                                                              • Instruction ID: 80a3e2b3c786cd473841239d73191beeb151b9e6c12b86cf2a5daf6c6e4bf9e2
                                                              • Opcode Fuzzy Hash: 645fed00c6e91607e3efc3f8d7c7d3ea7531bfeee106fc6cea76dc1b99806549
                                                              • Instruction Fuzzy Hash: 9C416D71C04358CFDB21CFA9C8846DEFBB1AF5A314F14808AC505AF262D775694ACF60
                                                              Function 014B590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 014B59C9
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: af8afdfd3830bba3f74a0330429fb627e42a8383c9a987b0feedfdce4ea3622f
                                                              • Instruction ID: 3888e6baf13a73c23691d4abe2417fe1eb7066546583d9a4191d84d562c08e88
                                                              • Opcode Fuzzy Hash: af8afdfd3830bba3f74a0330429fb627e42a8383c9a987b0feedfdce4ea3622f
                                                              • Instruction Fuzzy Hash: 2F41D2B1C0071DCBDB24CFA9C984BDEBBB5BF49314F20805AD508AB261DB756949CFA0
                                                              Function 014B4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 014B59C9
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 44ee0bad4ae59cc9d40b0e75efae84fd0bbd0d44300f1e12bf2a58ba886da61f
                                                              • Instruction ID: f31cd97db9510ff11c5e62dddbd603534b1e217cd2fa0f3cb8cf4660cbb63bdf
                                                              • Opcode Fuzzy Hash: 44ee0bad4ae59cc9d40b0e75efae84fd0bbd0d44300f1e12bf2a58ba886da61f
                                                              • Instruction Fuzzy Hash: E741B1B0C0071DCBDB24DFA9C984BDEBBB5BF49304F20805AD508AB251DB756949CFA0
                                                              Function 031D4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 031D4111
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1747836538.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_31d0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: d815ed38f3228eec3302dcc3c6c3f3416c11d5f8c5a6ab257f5959f55507162a
                                                              • Instruction ID: 58b60375e22a52cc9e3a7cf92a2bdcc2ce764853ffa6dcecd252690616704361
                                                              • Opcode Fuzzy Hash: d815ed38f3228eec3302dcc3c6c3f3416c11d5f8c5a6ab257f5959f55507162a
                                                              • Instruction Fuzzy Hash: C54128B4900209CFCB14CF8AC888A9ABBF5FF89314F248459D519AB321DB74A941CFA0
                                                              Function 07523B19 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07523B8E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: c2847177bf670de8b7ba31a24e0c72bf1c317f8c07f753c6d846859c68effc35
                                                              • Instruction ID: 47b63b0b744e251017c6bcaf64468be0e8c071c37eebcbdc311f0d1c0b3ca23f
                                                              • Opcode Fuzzy Hash: c2847177bf670de8b7ba31a24e0c72bf1c317f8c07f753c6d846859c68effc35
                                                              • Instruction Fuzzy Hash: 8F316BB59002599FCB10CF99D885ADEBBF4FF49324F14842AE519A7250C7759841DFA0
                                                              Function 07523BD9 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07523C70
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 344d02415a9b6fed889cface394c8b81658f2e352abdb1d5a9a8957452129ed8
                                                              • Instruction ID: 6d4586c8232009c5bbc87e002929769293070e2d4e79f734e146133d0e13bd80
                                                              • Opcode Fuzzy Hash: 344d02415a9b6fed889cface394c8b81658f2e352abdb1d5a9a8957452129ed8
                                                              • Instruction Fuzzy Hash: 62212AB59003599FCB10CFA9C885BDEBFF5FF48320F10842AE919A7250C7789945DBA1
                                                              Function 07523BE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07523C70
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 96201e7cfa773007bc72b8e259d6fb4cd05327a52c1b889282075c5cd6085a65
                                                              • Instruction ID: 6b6a35f865abfd0019e4d6f7e01b6b69c9740cce3a05b06236fde97bf6789133
                                                              • Opcode Fuzzy Hash: 96201e7cfa773007bc72b8e259d6fb4cd05327a52c1b889282075c5cd6085a65
                                                              • Instruction Fuzzy Hash: EC2125B19003599FCB10CFAAC885BDEBBF5FF48320F10842AE919A7250C7789945DBA1
                                                              Function 07523608 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0752368E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 26089918e4fbcc3197063f054db3c26cfe370f096b428a02376241d73fb8b006
                                                              • Instruction ID: 76eb0c88e7bbd66d0784e7f5ff7ff95638f681507c35189cba3ce479c6201a23
                                                              • Opcode Fuzzy Hash: 26089918e4fbcc3197063f054db3c26cfe370f096b428a02376241d73fb8b006
                                                              • Instruction Fuzzy Hash: 2D215CB19003498FDB10CFA9C485BDEBBF5AF88324F14842AD459A7340C7789545DFA5
                                                              Function 014BD681 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BD70F
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 16b6a72a62744bdd487cec56a9dd37594523032ec735a13ff29ef328076ffb05
                                                              • Instruction ID: 43abbce5fbdc6b4835e651efecad51ffc4e569c55d55ee7d328c34051c75f2b2
                                                              • Opcode Fuzzy Hash: 16b6a72a62744bdd487cec56a9dd37594523032ec735a13ff29ef328076ffb05
                                                              • Instruction Fuzzy Hash: C121E6B5D002499FDB10CFA9D985ADEBFF5FB48324F24811AE914A7310D378A954CF60
                                                              Function 07523610 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0752368E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: deefe11b3313a1ebf85d8c209a33d712c340fdeb063bce88c00a3bf16f304c65
                                                              • Instruction ID: ac26c9e2bb8d133e8a5a1f63cba9bfed2bbc549279020db0a5f09ab15e252408
                                                              • Opcode Fuzzy Hash: deefe11b3313a1ebf85d8c209a33d712c340fdeb063bce88c00a3bf16f304c65
                                                              • Instruction Fuzzy Hash: 042137B19003098FDB10CFAAC485BEEBBF8AF48324F14842AD419A7340C778A945DFA5
                                                              Function 07523CD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07523D50
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 6130a545f1f6b3021d178c688d7a74b8ac53ee19d8b42327fe95059c215bef3d
                                                              • Instruction ID: 8d9c9388c1f5a350d42e6cc6c780bb163e0ace3f206b5371fa3fb698fe7201cc
                                                              • Opcode Fuzzy Hash: 6130a545f1f6b3021d178c688d7a74b8ac53ee19d8b42327fe95059c215bef3d
                                                              • Instruction Fuzzy Hash: A92125B1D003599FCB10CFAAC885BEEBBF5FF48320F10842AE519A7250C7789905DBA1
                                                              Function 014BD688 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BD70F
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 47b2b14d89fd0a66b1bbaced382ab98d5ae81e1c1d19060f87b110e743ebb375
                                                              • Instruction ID: e14904559936c2022e8147fb7fabd685305b7b017a857ab030b3d01eed833b3f
                                                              • Opcode Fuzzy Hash: 47b2b14d89fd0a66b1bbaced382ab98d5ae81e1c1d19060f87b110e743ebb375
                                                              • Instruction Fuzzy Hash: BA21E4B5D002489FDB10CF9AD984ADEBFF8EB48324F24801AE918A7310D374A944CFA5
                                                              Function 014BA188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014BB079,00000800,00000000,00000000), ref: 014BB68A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 1c666adf5c19459141a9794ab3e5421489bc4f0b9d143f0cfecdf4af90828396
                                                              • Instruction ID: 8d6ec68a1ab397a095dff7d6563cade00eb2520fcc1445d475836e35f772f5cb
                                                              • Opcode Fuzzy Hash: 1c666adf5c19459141a9794ab3e5421489bc4f0b9d143f0cfecdf4af90828396
                                                              • Instruction Fuzzy Hash: DD11D6B5D003099FDB10CF9AC484ADEFBF4EB48310F14841AD519A7210C375A945CFA5
                                                              Function 014BB619 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014BB079,00000800,00000000,00000000), ref: 014BB68A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: ceed7726e444107470e168ae7d71d4f1168115eefbb38557a2f290ab056ad6ee
                                                              • Instruction ID: 7584b257d2ab3b684eecf7e320ff003ed8cbedf31685c8de5928c5ff18a4c15d
                                                              • Opcode Fuzzy Hash: ceed7726e444107470e168ae7d71d4f1168115eefbb38557a2f290ab056ad6ee
                                                              • Instruction Fuzzy Hash: 5E1117B6D002499FDB20CFAAC484ADEFBF4EB88310F14851AD559A7310C375A545CFA5
                                                              Function 07523558 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: d7e42aa413f94ce183c45b94f4df7bf16f2be22de789a1dac0788d87b583a81a
                                                              • Instruction ID: 44bf2ee47c6d19c43d778af85cd3586e1924f5b5cd556324eac931f66958be7a
                                                              • Opcode Fuzzy Hash: d7e42aa413f94ce183c45b94f4df7bf16f2be22de789a1dac0788d87b583a81a
                                                              • Instruction Fuzzy Hash: 4A114CB19003498BDB20DFAAD4457DEFFF4EF88324F208419D419A7240CB795540CB91
                                                              Function 07523B20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07523B8E
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: d7ba802a3f60daef4d7ae4ebfc3eb77fab2c9818d56961a090a368a3ef59e8bd
                                                              • Instruction ID: e27982bbf64c6767428d1354a1a3e613f6911249803017f1bac4256355c18a4b
                                                              • Opcode Fuzzy Hash: d7ba802a3f60daef4d7ae4ebfc3eb77fab2c9818d56961a090a368a3ef59e8bd
                                                              • Instruction Fuzzy Hash: F7113AB19002499FCB20DFAAC845BDEBFF5EF48324F248419E519A7250C7759940DFA1
                                                              Function 075278D8 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0752793D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: d52963b9601064e420c6a131e803d76e60bc86bfd4123e76fa219b48d167415b
                                                              • Instruction ID: e5b7f354ce66b14ded489516c8dcdbb06426fab1f609e5b9487e24582c47bfcf
                                                              • Opcode Fuzzy Hash: d52963b9601064e420c6a131e803d76e60bc86bfd4123e76fa219b48d167415b
                                                              • Instruction Fuzzy Hash: DD1103B58003599FDB20CF9AD885BDEBBF8FB49324F20841AE558A3640C375A944CFA5
                                                              Function 07523560 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: f1754846c252b472367228591610e317a1fed83b76aa1d5ad66d8fba07590ac9
                                                              • Instruction ID: 46fc2fb95038d14f06ba2ce6da965705512951ec8ecf32fe9f849d64f240cd39
                                                              • Opcode Fuzzy Hash: f1754846c252b472367228591610e317a1fed83b76aa1d5ad66d8fba07590ac9
                                                              • Instruction Fuzzy Hash: 71112BB1D003498BDB20DFAAC4457DEFBF5AB88324F248419D519A7240C779A545CB95
                                                              Function 014BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 014BAFFE
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 12a7140f72d3ef846b2f9052813cd1e626b486d6150625ac765e2b7afd20fe0e
                                                              • Instruction ID: 8dad1dfba65b1c97c9acc48d5c20f9b07d20d8e01b58a6b724ead6e3f9eb98d5
                                                              • Opcode Fuzzy Hash: 12a7140f72d3ef846b2f9052813cd1e626b486d6150625ac765e2b7afd20fe0e
                                                              • Instruction Fuzzy Hash: 0E11DFB5C006498FDB24CF9AC484BDEFBF8EB88224F24841AD529A7710D379A545CFA5
                                                              Function 07522510 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0752793D
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1752461747.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7520000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 12865fe59a7917ae7a770e2656f47574c052b2a206a0968367af8d9d2f11c68c
                                                              • Instruction ID: 3cbcd367b05843db21773ca1d21db7436ffcfffe09d216ad3e5b571830535ed5
                                                              • Opcode Fuzzy Hash: 12865fe59a7917ae7a770e2656f47574c052b2a206a0968367af8d9d2f11c68c
                                                              • Instruction Fuzzy Hash: D01136B5800319DFDB20CF99C445BDEBBF8FB49324F20881AE518A3240C374A944CFA1
                                                              Function 014BB6C1 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014BB079,00000800,00000000,00000000), ref: 014BB68A
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1746005554.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_14b0000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 541f169547816bd10d2e106aac6cdedccc7ec7c349d0e92536cddddd95c34c6f
                                                              • Instruction ID: 1a06093179e88af3c8158aa41211b110362f12aba344073dc6482faf1e7c6f5f
                                                              • Opcode Fuzzy Hash: 541f169547816bd10d2e106aac6cdedccc7ec7c349d0e92536cddddd95c34c6f
                                                              • Instruction Fuzzy Hash: 6301BCB29043048FDB108FADE8087DABBF4EFA5324F14815BE109D7261C3B99805CFA6
                                                              Function 0141D1FC Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745442821.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_141d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50272b07c917a4d650f8763ee5e509d32bf7a1b59783758da63096e4fc22167d
                                                              • Instruction ID: 8a3fe20977d783c8831e93300d14e63e268348dfa914f094d6b6986be44a8100
                                                              • Opcode Fuzzy Hash: 50272b07c917a4d650f8763ee5e509d32bf7a1b59783758da63096e4fc22167d
                                                              • Instruction Fuzzy Hash: 3121F4B1904200DFDB15DF98D9C8B67BF65FB88320F24C56AE9090B26AC336D416CBA1
                                                              Function 0141D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745442821.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_141d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 441ded51b9caaac540b8301509751beaa5b825e73d11cb0f52a39ccfcb012cf2
                                                              • Instruction ID: 9de78add6473e6548d2da7686363ac7cd778755602f6034fbeb6c631ef28c0ae
                                                              • Opcode Fuzzy Hash: 441ded51b9caaac540b8301509751beaa5b825e73d11cb0f52a39ccfcb012cf2
                                                              • Instruction Fuzzy Hash: F721F5F1904240EFDB15DF58D9C4B27BF65FB88318F24C56AE9090B26AC336D456CBA1
                                                              Function 0142D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745624793.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_142d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d94a674843fd8d8ffe7e023bf7e5e6cc2efe080beb5384ec86bfd3f7127553dd
                                                              • Instruction ID: 571976582a8a76c4d880f67186b72dd2fdaf4991fc319bd1d591837d18308bfe
                                                              • Opcode Fuzzy Hash: d94a674843fd8d8ffe7e023bf7e5e6cc2efe080beb5384ec86bfd3f7127553dd
                                                              • Instruction Fuzzy Hash: 322149B1904200EFDB05DF98C9C0B26BB65FB85324F60C96EE9094B362C736D486CB71
                                                              Function 0142D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745624793.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_142d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fddce8d5859d60ba0780fb669764082ee6d9c69245543aa5472c843963b2beb1
                                                              • Instruction ID: 1b17e50474e483c59b28e09c053f81c45dea7c7d94121d9190161cbd3b657a44
                                                              • Opcode Fuzzy Hash: fddce8d5859d60ba0780fb669764082ee6d9c69245543aa5472c843963b2beb1
                                                              • Instruction Fuzzy Hash: BE2125B1904240DFCB15DF58D9C0B26BB65FB84358F60C56ED90A4B376C33AD487CA61
                                                              Function 0142D006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745624793.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_142d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cf788af08cfc7a856c4182a29b70e4f338c2878d132b8bbc59388a800d4e722
                                                              • Instruction ID: e22d0d574be22c8077ef7b5d57c23a8b82fadd7da4119c6598e1ab420d801182
                                                              • Opcode Fuzzy Hash: 5cf788af08cfc7a856c4182a29b70e4f338c2878d132b8bbc59388a800d4e722
                                                              • Instruction Fuzzy Hash: 392180755093808FDB13CF24D590716BF71EB46218F28C5DBD8498B6A7C33A984ACB62
                                                              Function 0141D1F7 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745442821.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_141d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
                                                              • Instruction ID: c6fba53c305efe6bb0ce8cc991898cdfef6e8ce67b1bf0406885f1fbbcdc9cfb
                                                              • Opcode Fuzzy Hash: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
                                                              • Instruction Fuzzy Hash: 4321E4B6804240CFDB16CF44D9C4B56BF72FB84324F24C1AADD090B66AC33AD416CB91
                                                              Function 0141D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745442821.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_141d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                              • Instruction ID: a7b47fddc8c453e04c2991026a787da3e172aa496d36826033fdf0347852717d
                                                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                              • Instruction Fuzzy Hash: C611E4B2804240CFCB16CF54D5C4B16BF71FB84314F24C5AAD8090B66AC336D456CBA1
                                                              Function 0142D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.1745624793.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_142d000_oJSnAkAh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                              • Instruction ID: 2c7fa89a1610efce31171a8903cd1c93f2f6e3f3bf20808432c8f478ae3a0244
                                                              • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                              • Instruction Fuzzy Hash: B311BB75904280DFDB12CF54C5C0B16BBA2FB85224F24C6AAD8494B7A6C33AD48ACB61

                                                              Executed Functions

                                                              Function 02511CC0 Relevance: 8.0, Strings: 6, Instructions: 496COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "$LRfq$LRfq$LRfq$$fq$$fq
                                                              • API String ID: 0-1401489992
                                                              • Opcode ID: 048ba862a3a4a1e1bce584111b1d8008c1bfe48327a788bbe4c06a4e2a77c995
                                                              • Instruction ID: 4660d14070428fbe12f306bfcd7eb7b95923ffacee502fd0aca03915eecd0ffa
                                                              • Opcode Fuzzy Hash: 048ba862a3a4a1e1bce584111b1d8008c1bfe48327a788bbe4c06a4e2a77c995
                                                              • Instruction Fuzzy Hash: DD02C134A006168FEB09DF68C480BAEBBB2FF88310F14C569E515DB2A5DB74DD42CB95
                                                              Function 02512788 Relevance: 2.0, Instructions: 2008COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f3ee6df09c384c94a79994805d43b3b608747e4ec0e3a424a7a4676f7c515dd0
                                                              • Instruction ID: f895003114975070b75a5eec653aef8061ac154f3f2a9369529e75b48c4cc53d
                                                              • Opcode Fuzzy Hash: f3ee6df09c384c94a79994805d43b3b608747e4ec0e3a424a7a4676f7c515dd0
                                                              • Instruction Fuzzy Hash: B103AE74E10318DBDB16DFA8CC44BA9BBB6FF89700F518595E5086B292DB70AE81CF40
                                                              Function 02515A41 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq
                                                              • API String ID: 0-12477121
                                                              • Opcode ID: fb2481dd9c8988c0a1b1784b40b7b82412e04eaae9ca25a77101156a1db6d5c3
                                                              • Instruction ID: 7caac0dbbd56da90def69de78986e09dc69f06e64abb1b381c28f2b3f34b4b26
                                                              • Opcode Fuzzy Hash: fb2481dd9c8988c0a1b1784b40b7b82412e04eaae9ca25a77101156a1db6d5c3
                                                              • Instruction Fuzzy Hash: BDF1AF74B002069FEB24DF64C984BAEBBF2BFC4714F548469E4069B295EB35EC41CB94
                                                              Function 02511992 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (jq$tPfq
                                                              • API String ID: 0-211981635
                                                              • Opcode ID: a564a680ee569e0f11482141a296bab8d7edee0d4399af0d0dd9f6fc1b4b0285
                                                              • Instruction ID: adcde715989d6aa94e7a1758f17b506cf48a6222c7f65932fb87154f54ee13cd
                                                              • Opcode Fuzzy Hash: a564a680ee569e0f11482141a296bab8d7edee0d4399af0d0dd9f6fc1b4b0285
                                                              • Instruction Fuzzy Hash: 0C71F370A00205CFDB58DF78C599AAE7FB2BF49714F1484A9D50A9B3A2DB359C02CB94
                                                              Function 02510848 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq
                                                              • API String ID: 0-2007657732
                                                              • Opcode ID: ed9342b98d6fd2c9ffcc591e2c521a1d978d2619d32e758bd4fca07b721e3850
                                                              • Instruction ID: 6801dc2190cc89b0a9ef01daa82dba024e43a230bc9ed9abace7490497833318
                                                              • Opcode Fuzzy Hash: ed9342b98d6fd2c9ffcc591e2c521a1d978d2619d32e758bd4fca07b721e3850
                                                              • Instruction Fuzzy Hash: 2141B574E001089FDB04EBB8E45479EBBB2FF84300F109569E505AB395DF749D86CB95
                                                              Function 02511CB0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq
                                                              • API String ID: 0-12477121
                                                              • Opcode ID: f7971260fc538a1fe2e0d54ce744fe671534d15b583bc6d825cf158b2a842c4d
                                                              • Instruction ID: c6826915ec1b76c0d3486ac686a9e3713efe8c221866dc983b784de8a244fe52
                                                              • Opcode Fuzzy Hash: f7971260fc538a1fe2e0d54ce744fe671534d15b583bc6d825cf158b2a842c4d
                                                              • Instruction Fuzzy Hash: FB41D438A001449FEB09DF38D4949AABBF6FF89314710C5AAE5098B365DF34AD16CF54
                                                              Function 02511C72 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq
                                                              • API String ID: 0-12477121
                                                              • Opcode ID: 7a0714e3ba56c7e89a62250ba758decd139f34f5ef17e710f46b5c77521e06f2
                                                              • Instruction ID: 310763163a0eeb2155bf90580899116edc71ba8599c01d8b35ead6488feb0c08
                                                              • Opcode Fuzzy Hash: 7a0714e3ba56c7e89a62250ba758decd139f34f5ef17e710f46b5c77521e06f2
                                                              • Instruction Fuzzy Hash: DF41D338A00145CFEB09EF24D4949AEBBF2FF89314B40C5AAE5058B265DB34AD15CB94
                                                              Function 02510838 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'fq
                                                              • API String ID: 0-2007657732
                                                              • Opcode ID: b71b5a0896a304f57e8366cf0fed01ae5b53c26e0abc5c7829a7ba09e95a52d4
                                                              • Instruction ID: 1a791ae76bf800ad127f9fd5a551e400fa23d708368549eaf2ea6135486da9e7
                                                              • Opcode Fuzzy Hash: b71b5a0896a304f57e8366cf0fed01ae5b53c26e0abc5c7829a7ba09e95a52d4
                                                              • Instruction Fuzzy Hash: 0231D1B49001489FDB05EFB8E494BDDBFB2FF84304F10D519E1046B296DB78988ACB55
                                                              Function 02511B68 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPfq
                                                              • API String ID: 0-3170913260
                                                              • Opcode ID: 9c7985fcf1773118e394cd8d06421add3738bb643a01f1c6979fe313c5bc63cc
                                                              • Instruction ID: becb8060a437ee5ecf84441ab0340be537b70bab6b49e70bbcd8834df58c82fa
                                                              • Opcode Fuzzy Hash: 9c7985fcf1773118e394cd8d06421add3738bb643a01f1c6979fe313c5bc63cc
                                                              • Instruction Fuzzy Hash: BB213D70B001158FCB48EF78D5999AE7BB2AF4971572144A9D906DB371EB35DC02CB80
                                                              Function 02511B78 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPfq
                                                              • API String ID: 0-3170913260
                                                              • Opcode ID: 178f4b4704497db3626ee6399a635f0a8ff7263160b1cc807cafeeed4ae2999b
                                                              • Instruction ID: 5f3bae941f55748843bb24629c7c1e9566a5f23aac05496f10f3012a22da4600
                                                              • Opcode Fuzzy Hash: 178f4b4704497db3626ee6399a635f0a8ff7263160b1cc807cafeeed4ae2999b
                                                              • Instruction Fuzzy Hash: 33211D70B00115CFCB48EFB8D59896D77B2AF4971572144A9D90ADB375EB35EC01CB80
                                                              Function 02514F42 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `Qfq
                                                              • API String ID: 0-1673126163
                                                              • Opcode ID: 3230063b2fb4dd8789ecb409d4579fb7f77c1112c667d04096cd4d11de0de42b
                                                              • Instruction ID: 1e1cbab32172a09479833780dd3712a3d3ad6ee858d711ffafb2f3ed458d7621
                                                              • Opcode Fuzzy Hash: 3230063b2fb4dd8789ecb409d4579fb7f77c1112c667d04096cd4d11de0de42b
                                                              • Instruction Fuzzy Hash: 8011BE74A042548BEB14EBB5C4557EE7FF2BF88304F104429D402A7385DB399901DBA4
                                                              Function 02514F48 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `Qfq
                                                              • API String ID: 0-1673126163
                                                              • Opcode ID: 0ae702f4074c22377ba9e7e2cd56d47544e61eb14ef8f4e4dbea6809d4349b5e
                                                              • Instruction ID: 3fa8b54bb2a6c70c47849f203fd6c7e94cdbd3b6530bee542686c945ef63cd3d
                                                              • Opcode Fuzzy Hash: 0ae702f4074c22377ba9e7e2cd56d47544e61eb14ef8f4e4dbea6809d4349b5e
                                                              • Instruction Fuzzy Hash: F411B274A042598BEF14EBB5C5557AE7BF2FF88300F508429D401A7385EF39A900EBA4
                                                              Function 02514868 Relevance: .2, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb1ef096be04b09ac0826293b0866f2e957a8b8451e292ce07ba4f48a2d90372
                                                              • Instruction ID: 6b81790d1c9c037746ee1b4c3fa506948a04b4f3a1274e3b6fd19c4f7bed33fe
                                                              • Opcode Fuzzy Hash: eb1ef096be04b09ac0826293b0866f2e957a8b8451e292ce07ba4f48a2d90372
                                                              • Instruction Fuzzy Hash: F3A178302006058FDB15DF28C494AA9BBF6FF41310F46E5A9E0499B666E730FD99CB88
                                                              Function 02511062 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a12bf46a870ca81262727b3e8b3716eea1482e1339f2f9239dd182b8d838bee4
                                                              • Instruction ID: 17f1a1de88cc9b05dddd903637a5758f89c6fec8ac294ebffdb232ebc22d1111
                                                              • Opcode Fuzzy Hash: a12bf46a870ca81262727b3e8b3716eea1482e1339f2f9239dd182b8d838bee4
                                                              • Instruction Fuzzy Hash: D2917A75E002089FDB09DFE1D9449EEBBFABF88300F14842AE516A7254DB34A946CF94
                                                              Function 02515E28 Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d81801efe93488d18deeebf6ba837a83a2550d45ca1d18b789b24f03cbac012
                                                              • Instruction ID: f42c6e9cb5bd17576602f16c4c96d244347bfd6c56a53c9e558d1da6309b4b1a
                                                              • Opcode Fuzzy Hash: 1d81801efe93488d18deeebf6ba837a83a2550d45ca1d18b789b24f03cbac012
                                                              • Instruction Fuzzy Hash: 85618D35B002159FDB04DF68D994BAEBBF2BF88710F548465E805EB295EB34AC41CB54
                                                              Function 02512777 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0c1f4c000ffd491c511a36426659576a5bd72aea543b8b4df28173eff931dd4
                                                              • Instruction ID: 1890707c273d09629d6874ad865a1d145e826d589570e7a5830a412c6de8bace
                                                              • Opcode Fuzzy Hash: e0c1f4c000ffd491c511a36426659576a5bd72aea543b8b4df28173eff931dd4
                                                              • Instruction Fuzzy Hash: 3C31B130A00224DFEB14CF69D898BAA7FF6FF85314F4588AAE905CB192D734D945CB54
                                                              Function 02516060 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d986304853681a2d386b0be9b24ad354fa83aec720c54530d652eb6ef782641
                                                              • Instruction ID: b3be970acb616723720bfcf1e04e75b64489a6151ecde8ed354bacc22b5ff2d4
                                                              • Opcode Fuzzy Hash: 1d986304853681a2d386b0be9b24ad354fa83aec720c54530d652eb6ef782641
                                                              • Instruction Fuzzy Hash: 941121B1D042885FC766DB7898987AE7FB6EFC6324F1440AEE0448B202EF724807C780
                                                              Function 02515218 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e19c1e53378a80a2bb4c2ef7e790f438bcca5b96a13000529aa984eaa5a73d49
                                                              • Instruction ID: cc88e69c977c610b08d6d09b6c706e199bf1389272a41a9d212708f94603e842
                                                              • Opcode Fuzzy Hash: e19c1e53378a80a2bb4c2ef7e790f438bcca5b96a13000529aa984eaa5a73d49
                                                              • Instruction Fuzzy Hash: D901D475B401718FC31A5B7CE45496A7BF69FC962131540AAE805DB372CB21EC02CB90
                                                              Function 025118F8 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a658a4a703fd951b59fbfa3bdd8e6c582326778bedd56c13419b9e10e01f4134
                                                              • Instruction ID: 50263e9784ee6b3d826aab75d39b14a5f5d485e205394cb700616956b2bb78b1
                                                              • Opcode Fuzzy Hash: a658a4a703fd951b59fbfa3bdd8e6c582326778bedd56c13419b9e10e01f4134
                                                              • Instruction Fuzzy Hash: EE015E76A001088FDB40EFA9E8006EEBBF5FF84321F00C47AD559E7244E7356955CB90
                                                              Function 02515228 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b62135c3608f796a92d102d4a8b918ac1f22d95ec3f730accefd2aa2fa1a541
                                                              • Instruction ID: 83dcfdc45292976f27f2fcadbe2ac8f1d53a1c48ef18560aac84a6ab97044d1d
                                                              • Opcode Fuzzy Hash: 9b62135c3608f796a92d102d4a8b918ac1f22d95ec3f730accefd2aa2fa1a541
                                                              • Instruction Fuzzy Hash: 74F06276B501318FC718AB7DE44491A77EAAF89A6132545BAE805DB335CF31FC018BA0
                                                              Function 02510A98 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6369e3cc302e74af3536f16e867ead556dd893c0fd0325619545e2981704fbb9
                                                              • Instruction ID: fee27aa0efa84cf8cf22cc02e270892fd4f1f12a5e1004741b6024cb9687f04f
                                                              • Opcode Fuzzy Hash: 6369e3cc302e74af3536f16e867ead556dd893c0fd0325619545e2981704fbb9
                                                              • Instruction Fuzzy Hash: 8F014E387442914BDB185770A96876D3FB17B45218F0448ADE901C32E6DFADD8A2C340
                                                              Function 02510AA8 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59e853e8e7c2ba34440dbd32dc5813e37c4ce4b27f8d7717260ff00b8dab66f0
                                                              • Instruction ID: 06c5520859a9ac234c74d19359b24463577078b94ee0a6ae069268e59754f024
                                                              • Opcode Fuzzy Hash: 59e853e8e7c2ba34440dbd32dc5813e37c4ce4b27f8d7717260ff00b8dab66f0
                                                              • Instruction Fuzzy Hash: 40F0BB38B8021187DB186774F91832E3BA5B744658F444879ED06C33D5EFE9D8A0C780
                                                              Function 02514B34 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d8a538c4a3e517091278dd77352d7ecea7cb9d5e1128285992510ad574af88f
                                                              • Instruction ID: 02ddd35a25dd583a152adbd035cb3cae820f10a11b00ac759beb9ba7dfc077ca
                                                              • Opcode Fuzzy Hash: 3d8a538c4a3e517091278dd77352d7ecea7cb9d5e1128285992510ad574af88f
                                                              • Instruction Fuzzy Hash: FBF024B5D09284EFDB05DBF598940ECBFB1EF81304B04C0DAD15587221EB788605CB40
                                                              Function 02515139 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d3b095b5177d88456c98d117a8ddbd5eb92efe301b36f3bc2f21cd7063adf05
                                                              • Instruction ID: 19796a75beafab5b9759a35e9e24bb5133db2259cc2a0c218d91da0909892a79
                                                              • Opcode Fuzzy Hash: 8d3b095b5177d88456c98d117a8ddbd5eb92efe301b36f3bc2f21cd7063adf05
                                                              • Instruction Fuzzy Hash: BAF0E2393851505FC7499BB8E8B48A9BFB6EFCA220704847AE449C7266DA359C16C760
                                                              Function 025113B0 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c2709965b99e5577a28bd4612ca2c511fc5af8d4a349b85503cd9ce513fc542
                                                              • Instruction ID: 68ef65550e3bdb1e661301c30a90e017f12ede4e1e6432e88dcbf0684fc28804
                                                              • Opcode Fuzzy Hash: 3c2709965b99e5577a28bd4612ca2c511fc5af8d4a349b85503cd9ce513fc542
                                                              • Instruction Fuzzy Hash: 40F0BDB8640205CFEB18EF74D158A69B7B2FF88315F1084A9D50A9F3A5CB79E845CF04
                                                              Function 02515148 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75c65411413ef1363abc1bd9c4f0fdec1a4aedc463cbfe5c94fbd2f1f164ce27
                                                              • Instruction ID: 195d0d3e2f1849626c0e94b06391a39291766f1cb65eb0c740eb33fd2236c023
                                                              • Opcode Fuzzy Hash: 75c65411413ef1363abc1bd9c4f0fdec1a4aedc463cbfe5c94fbd2f1f164ce27
                                                              • Instruction Fuzzy Hash: 21E09B397401145BC714DB69E4A4C5AB7FAFBC93617508439E509C3319DE359C05C7A0
                                                              Function 02510F28 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcf9a886e6f99ca7d424c49e10008ffdc23d0f2d50361e1cb444659b002197db
                                                              • Instruction ID: 58839de718e3b1465a3334024feef310ac4fbab2081bbd6378e16b88a862ee7a
                                                              • Opcode Fuzzy Hash: fcf9a886e6f99ca7d424c49e10008ffdc23d0f2d50361e1cb444659b002197db
                                                              • Instruction Fuzzy Hash: 4DE0D870905288AFC742DBF4E5120DD7FF1EF46204B1049EAD848D7252E7305E01E741
                                                              Function 02510F70 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cd4c52bea44c9c94fad129c3fa3a5a6b455c68f77336582d1f08e6cde25027d
                                                              • Instruction ID: 84b2546882bcfedc767e7a8c0481e5d6052b06abfc748515f1e7a88339ce93f6
                                                              • Opcode Fuzzy Hash: 5cd4c52bea44c9c94fad129c3fa3a5a6b455c68f77336582d1f08e6cde25027d
                                                              • Instruction Fuzzy Hash: 3AE0C2315192800ED7614A34A8422E63BA59B22220B0048A7EC89C32D2F6458C408789
                                                              Function 02510F38 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.1736418445.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_2510000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 701a1529a7a68242ef7d44e84a5afa6a865b8214fe06cafbf03b16f7f5c9e042
                                                              • Instruction ID: adcb155b5287a618f78e58e5e333ae75ace9b20078ed03a53a8e66f14f25a9ef
                                                              • Opcode Fuzzy Hash: 701a1529a7a68242ef7d44e84a5afa6a865b8214fe06cafbf03b16f7f5c9e042
                                                              • Instruction Fuzzy Hash: A7D01274A00108EFCB04EFB4EA4155EB7F5DB44204B2045999408D3240EB316F10AB41

                                                              Executed Functions

                                                              Function 02D92788 Relevance: 2.0, Instructions: 2000COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97224d6d9f76ec72573dd1a4477aadbf0ec460d4996c8751ef282bbefbe84373
                                                              • Instruction ID: a38eeae2172bae26889be0ed59501de4d960fbbb61954fa79bbfac59033279e3
                                                              • Opcode Fuzzy Hash: 97224d6d9f76ec72573dd1a4477aadbf0ec460d4996c8751ef282bbefbe84373
                                                              • Instruction Fuzzy Hash: 2703AD70A10319DBDB22DF74CC48BA9B7B6FF89700F518695E6086B295DB716E81CF40
                                                              Function 02D95A41 Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $fq
                                                              • API String ID: 0-12477121
                                                              • Opcode ID: 74bd092a91161ed9aa5fddf65babf886c25d8a3ff91b2a55a25521b0e76a6a53
                                                              • Instruction ID: a1fac5ad8e53e5ceac7309e03518a2e255ad6fa89232f0e58183de50656d9031
                                                              • Opcode Fuzzy Hash: 74bd092a91161ed9aa5fddf65babf886c25d8a3ff91b2a55a25521b0e76a6a53
                                                              • Instruction Fuzzy Hash: 74F18B30A00216DFDF25DF64EA94BAEB7B2BF84314F548529E8059B3E5DB31AC41CB90
                                                              Function 02D917C8 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (jq$Hjq
                                                              • API String ID: 0-2151573235
                                                              • Opcode ID: 14af3b846a23edca500a3e330eae9c55c606252c7ef8281867e7c906bac132d5
                                                              • Instruction ID: 51bdee4ffa51d7db20cf1221d95f54c02c6451ceb65502a388fb6f9bcef5fa1a
                                                              • Opcode Fuzzy Hash: 14af3b846a23edca500a3e330eae9c55c606252c7ef8281867e7c906bac132d5
                                                              • Instruction Fuzzy Hash: F7518C71E002199FCF49DFB9A8146EEBFB2EF85310F0480AAE559E7290EB344905CB91
                                                              Function 02D95E28 Relevance: .2, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3724f395b1220d749e91e89449b5241864b61272512e47de5ed1232fcc6030a8
                                                              • Instruction ID: dcaa45ffa53e9eeb7189829d748e7db1a3eeccc272af05078a27972b339884bd
                                                              • Opcode Fuzzy Hash: 3724f395b1220d749e91e89449b5241864b61272512e47de5ed1232fcc6030a8
                                                              • Instruction Fuzzy Hash: 2B618B34A002159FCF15DF64E998BAEBBB6BF88750F148165F905AB3E4CB309C41CBA0
                                                              Function 02D95218 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73b20e17a199396bb120bee31e99cfbb5b1cc5fc8fd4fdd228b88c86e9ce06f2
                                                              • Instruction ID: 26fce4f154aced5dbcb8d8016ed424c57778b5fd8ad8d9c06804002504fbd459
                                                              • Opcode Fuzzy Hash: 73b20e17a199396bb120bee31e99cfbb5b1cc5fc8fd4fdd228b88c86e9ce06f2
                                                              • Instruction Fuzzy Hash: CD01A7717102318FC7559B7DF44881A77B5AF8975531541FAE805DB376CA31EC01DB90
                                                              Function 02D90A98 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f740952d917caaa77273c7343cce9709b169603e9ea625ee403c7f1ad29946a0
                                                              • Instruction ID: 64e8479c81af3da9ecd81ff479155bf90407c05a8005cffd86a9b70ce09cb31c
                                                              • Opcode Fuzzy Hash: f740952d917caaa77273c7343cce9709b169603e9ea625ee403c7f1ad29946a0
                                                              • Instruction Fuzzy Hash: B4012630B043129FDB04AB31F9282793761EB82259F0441A9EA02C33E8CF68DC51C780
                                                              Function 02D95228 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 763ce56b27f2ca3c42f4eda00f7607c20c14982afae8f95e6b53b1476ebb8dee
                                                              • Instruction ID: 786ae3bb356f3d92044bd1d5b380d9b004a7d39e0f85269289baedfaf9ffe9c8
                                                              • Opcode Fuzzy Hash: 763ce56b27f2ca3c42f4eda00f7607c20c14982afae8f95e6b53b1476ebb8dee
                                                              • Instruction Fuzzy Hash: 19F062767101308FC754EB7EF44881A77EAAF89A6132541B9E805DB375CE31EC019BE0
                                                              Function 02D90AA8 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.1783286029.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_2d90000_remcos.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f83a619104c7a256b1b2db5a8b1981b13bb3c79244470a16ad968c264d35b26
                                                              • Instruction ID: fc22ca5b4a9c1641b6bad647f6d1a5f532cbbf30f9a5abb684c868211e618cae
                                                              • Opcode Fuzzy Hash: 2f83a619104c7a256b1b2db5a8b1981b13bb3c79244470a16ad968c264d35b26
                                                              • Instruction Fuzzy Hash: A1F09030B0432297DB14AB75F92C33A37A6AB45A96F044568EB06C33E8DFA5DC51C7C0