Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DRAWING_SHEET_P02405912916 .exe

Overview

General Information

Sample name:DRAWING_SHEET_P02405912916 .exe
Analysis ID:1447921
MD5:55ec2edc07564f96fadc8681055baf07
SHA1:76c6df27f51e184509b81812589a59e9aa552f9c
SHA256:e6bb64329e3641fc55e523d5778edeae726d41e3481e26fd0855e1710508cc7b
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DRAWING_SHEET_P02405912916 .exe (PID: 4028 cmdline: "C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe" MD5: 55EC2EDC07564F96FADC8681055BAF07)
    • MSBuild.exe (PID: 4708 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 7140 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • WerFault.exe (PID: 1144 cmdline: C:\Windows\system32\WerFault.exe -u -p 4028 -s 1016 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.officeemailbackup.com", "Username": "1177y@officeemailbackup.com", "Password": "*L_n.e3}D?ky"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31715:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31787:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31811:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x318a3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3190d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3197f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31a15:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31aa5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  2.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 179.43.183.46, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4708, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49707

                    System Summary

                    barindex
                    Sigma detected: Silenttrinity Stager Msbuild Activity
                    Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 172.67.74.152, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4708, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.officeemailbackup.com", "Username": "1177y@officeemailbackup.com", "Password": "*L_n.e3}D?ky"}
                    Multi AV Scanner detection for submitted file
                    Source: DRAWING_SHEET_P02405912916 .exeReversingLabs: Detection: 34%
                    Source: DRAWING_SHEET_P02405912916 .exeVirustotal: Detection: 34%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: DRAWING_SHEET_P02405912916 .exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DRAWING_SHEET_P02405912916 .exe PID: 4028, type: MEMORYSTR
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49705 version: TLS 1.2
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdbMZ@ source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 4x nop then jmp 00007FFB4B1B56C6h0_2_00007FFB4B1B5529
                    Source: global trafficTCP traffic: 192.168.2.8:49707 -> 179.43.183.46:587
                    Source: Joe Sandbox ViewIP Address: 179.43.183.46 179.43.183.46
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49707 -> 179.43.183.46:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                    Source: unknownTCP traffic detected without corresponding DNS query: 95.101.54.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 95.101.54.129
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.officeemailbackup.com
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2622599305.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: MSBuild.exe, 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.officeemailbackup.com
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F0B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2622599305.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: MSBuild.exe, 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://officeemailbackup.com
                    Source: MSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: MSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: MSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2622599305.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49705 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, JovGVW.cs.Net Code: oz3TFs
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.raw.unpack, JovGVW.cs.Net Code: oz3TFs
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb0e9ac0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1BE7A00_2_00007FFB4B1BE7A0
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B10450_2_00007FFB4B1B1045
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B70480_2_00007FFB4B1B7048
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1C770A0_2_00007FFB4B1C770A
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1C17090_2_00007FFB4B1C1709
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1BEB810_2_00007FFB4B1BEB81
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B1DB30_2_00007FFB4B1B1DB3
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B74A00_2_00007FFB4B1B74A0
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1BB5400_2_00007FFB4B1BB540
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1BB5380_2_00007FFB4B1BB538
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B0AC80_2_00007FFB4B1B0AC8
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B0AD30_2_00007FFB4B1B0AD3
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1C2E9F0_2_00007FFB4B1C2E9F
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B0AF30_2_00007FFB4B1B0AF3
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1C77610_2_00007FFB4B1C7761
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B09F20_2_00007FFB4B1B09F2
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B92D80_2_00007FFB4B1B92D8
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B2A00010_2_00007FFB4B2A0001
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0142E8482_2_0142E848
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0142DBF02_2_0142DBF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0142BA592_2_0142BA59
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_01424A982_2_01424A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_01423E802_2_01423E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_014241C82_2_014241C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0142DBF02_2_0142DBF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B7ED02_2_066B7ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B572B2_2_066B572B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B67382_2_066B6738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066BC2D82_2_066BC2D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066BB3802_2_066BB380
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B31B82_2_066B31B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B5E232_2_066B5E23
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B77F02_2_066B77F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066BE5002_2_066BE500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B23782_2_066B2378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B00402_2_066B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066B00062_2_066B0006
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4028 -s 1016
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: No import functions for PE file found
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkonojutumifuquL vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4934848b-6622-4d0c-968c-4044090c39c2.exe4 vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAsiaMorning.exe" vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000000.1366354137.000001DFC92F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1459949780.000001DFC9670000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1459990900.000001DFC9710000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIkonojutumifuquL vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000000.1366380678.000001DFC932A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAsiaMorning.exe" vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exeBinary or memory string: OriginalFilenameNativeMethods.dll" vs DRAWING_SHEET_P02405912916 .exe
                    Source: DRAWING_SHEET_P02405912916 .exeBinary or memory string: OriginalFilenameAsiaMorning.exe" vs DRAWING_SHEET_P02405912916 .exe
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb0e9ac0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: DRAWING_SHEET_P02405912916 .exe, --.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, yNzg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, yNzg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, yNzg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, yNzg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, KNymkUU5gB.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, KNymkUU5gB.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, LPE.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, LPE.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@6/5@2/2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4028
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\9849cb27-11b2-45e9-b4de-2caef96fe43bJump to behavior
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: DRAWING_SHEET_P02405912916 .exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: DRAWING_SHEET_P02405912916 .exeReversingLabs: Detection: 34%
                    Source: DRAWING_SHEET_P02405912916 .exeVirustotal: Detection: 34%
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeFile read: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe "C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe"
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4028 -s 1016
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdbMZ@ source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERC8A7.tmp.dmp.6.dr
                    Source: DRAWING_SHEET_P02405912916 .exeStatic PE information: 0xACD24723 [Thu Nov 17 14:05:23 2061 UTC]
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1BC260 pushad ; retf 0_2_00007FFB4B1C2A6A
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B7C3A push eax; ret 0_2_00007FFB4B1B7C3B
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B1B00BD pushad ; iretd 0_2_00007FFB4B1B00C1
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeCode function: 0_2_00007FFB4B2A0001 push esp; retf 4810h0_2_00007FFB4B2A0312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0142B692 push ss; iretd 2_2_0142B699
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_01420C77 push edi; retf 2_2_01420C7A
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: DRAWING_SHEET_P02405912916 .exe PID: 4028, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory allocated: 1DFC9540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory allocated: 1DFE30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199405Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2527Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1928Thread sleep count: 2527 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1928Thread sleep count: 7312 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99731s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99622s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99514s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99282s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99157s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -99032s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98907s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199405s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1199062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1198062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1197953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2056Thread sleep time: -1197843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99731Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99622Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99514Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99032Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98907Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199405Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1199062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1198062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 1197843Jump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: VMware
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: MSBuild.exe, 00000002.00000002.2629786574.0000000005F0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AC1008Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeQueries volume information: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb0e9ac0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DRAWING_SHEET_P02405912916 .exe PID: 4028, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4708, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb0e9ac0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DRAWING_SHEET_P02405912916 .exe PID: 4028, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4708, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1b3940.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb1ee388.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DRAWING_SHEET_P02405912916 .exe.1dfdb0e9ac0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2625649867.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DRAWING_SHEET_P02405912916 .exe PID: 4028, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4708, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		231
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                    Process Injection                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DRAWING_SHEET_P02405912916 .exe34%ReversingLabsWin64.Trojan.Generic
                    DRAWING_SHEET_P02405912916 .exe35%VirustotalBrowse
                    DRAWING_SHEET_P02405912916 .exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.officeemailbackup.com0%Avira URL Cloudsafe
                    http://officeemailbackup.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    officeemailbackup.com
                    		179.43.183.46
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown
                          mail.officeemailbackup.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/true
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgDRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://upx.sf.netAmcache.hve.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.officeemailbackup.comMSBuild.exe, 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://sectigo.com/CPS0MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2622599305.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F71000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.org/tMSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://officeemailbackup.comMSBuild.exe, 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            179.43.183.46
                            		officeemailbackup.comPanama
                            		51852PLI-ASCHtrue
                            172.67.74.152
                            		api.ipify.orgUnited States
                            		13335CLOUDFLARENETUStrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1447921
                            Start date and time:2024-05-27 12:25:40 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 19s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:13
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:DRAWING_SHEET_P02405912916 .exe
                            Detection:MAL
                            Classification:mal100.spre.troj.spyw.expl.evad.winEXE@6/5@2/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 89%
                            • Number of executed functions: 77
                            • Number of non-executed functions: 1
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.190.159.0, 20.190.159.68, 40.126.31.73, 20.190.159.23, 40.126.31.69, 40.126.31.67, 40.126.31.71, 20.190.159.73, 52.182.143.212, 20.12.23.50, 192.229.221.95, 20.166.126.56, 52.165.164.15
                            • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            06:26:36API Interceptor2584387x Sleep call for process: MSBuild.exe modified
                            06:26:39API Interceptor1x Sleep call for process: WerFault.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            179.43.183.46NEW ORDER.xlsxGet hashmaliciousFormBookBrowse
                            • lupasgroup.com/Files/promise.exe
                            a6cdf669_by_Libranalysis.xlsxGet hashmaliciousAgentTeslaBrowse
                            • lupasgroup.com/Files/s68r0hZ49vns9tk.exe
                            172.67.74.152K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            stub.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            stub.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/
                            Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                            • api.ipify.org/?format=json
                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/?format=json
                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/?format=json
                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                            • api.ipify.org/?format=json
                            Sky-Beta.exeGet hashmaliciousStealitBrowse
                            • api.ipify.org/?format=json
                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/?format=json
                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                            • api.ipify.org/?format=json

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            fp2e7a.wpc.phicdn.nethttps://url.za.m.mimecastprotect.com/s/dkSWC8qYY1u9oZr4unuoBl?domain=t.coGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            script.jsGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://mary-7.ispring.com/app/preview/df7e6170-1759-11ef-9d84-1e3de37e0836Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://monespace.uegar.com/guest/64/Login/Register?t=blhzTG1lSW5OZ25rMHFpaGl1enJyVllwc2FWSnpuRlNWaklmNDdFb0lRRE5IbDIxMkNFZlFyNytvaEFhZWJzR2V4a0JKUEVHeGNoQTRIY2VpRmhXSE1PRXBDMFYyRTkrSVVrMHBoWVpocHc9Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://verify-signinoutlexchangeadmin.com/MBill@microsoft.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                            • 192.229.221.95
                            https://paypalgiftcardgenerator.pages.dev/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://mcguffinboots.comGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://help-fb-recovery-center.github.io/notification/index.htmlGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://fix-to-all-issues-review-verification-form-aa-submit-wheat.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                            • 192.229.221.95
                            http://y6ss1.shop/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            api.ipify.orgproforma invoice.bit.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 172.67.74.152
                            INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.12.205
                            https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9Get hashmaliciousHTMLPhisherBrowse
                            • 104.26.13.205
                            PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.13.205
                            Remittance#26856.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 104.26.13.205
                            https://interface01.nsxtlmv.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                            • 104.26.13.205
                            http://christiantensen478345.pages.dev/help/contact/45367900411236/Get hashmaliciousUnknownBrowse
                            • 172.67.74.152
                            https://louiss-comxinh.pages.dev/help/contact/388061959224233Get hashmaliciousUnknownBrowse
                            • 172.67.74.152
                            http://worker-office-onedrive.td5xtn-b1lv7f1ymscd0.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
                            • 172.67.74.152
                            z23mypdfscanner-invoice3535.batGet hashmaliciousAgentTeslaBrowse
                            • 104.26.12.205

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PLI-ASCHhttp://inclucedhealth.comGet hashmaliciousUnknownBrowse
                            • 81.17.29.149
                            http://salecinask.liveGet hashmaliciousUnknownBrowse
                            • 179.43.159.147
                            [EXTERNAL] New file received.emlGet hashmaliciousHTMLPhisherBrowse
                            • 190.211.254.196
                            zlONcFaXkc.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                            • 179.43.170.230
                            n3R8WBIjhz.exeGet hashmaliciousFormBookBrowse
                            • 81.17.29.146
                            0ekwLomWKo.exeGet hashmaliciousFormBookBrowse
                            • 81.17.29.147
                            travel itinerary.exeGet hashmaliciousRemcosBrowse
                            • 81.17.17.70
                            General Specification -INVACO PVT.exeGet hashmaliciousFormBookBrowse
                            • 81.17.29.146
                            2024#U5e74#U4e00#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.docGet hashmaliciousUnknownBrowse
                            • 179.43.180.99
                            2024#U5e74#U4e00#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.docGet hashmaliciousUnknownBrowse
                            • 179.43.180.99
                            CLOUDFLARENETUSPAYMENT COPY.exeGet hashmaliciousFormBookBrowse
                            • 172.67.137.210
                            Shipping Document.exeGet hashmaliciousFormBookBrowse
                            • 172.67.190.203
                            NUEVA ORDEN DE COMPRAsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                            • 188.114.96.3
                            PAYMENT ADVICE.exeGet hashmaliciousFormBookBrowse
                            • 172.67.190.203
                            proforma invoice.bit.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 172.67.74.152
                            INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                            • 104.26.12.205
                            ZAMOWIEN.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
                            • 172.67.190.76
                            https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9Get hashmaliciousHTMLPhisherBrowse
                            • 104.17.2.184
                            https://docsend.com/view/qqrrvyqndwsixgqgGet hashmaliciousPhisherBrowse
                            • 172.67.137.213
                            https://url.za.m.mimecastprotect.com/s/dkSWC8qYY1u9oZr4unuoBl?domain=t.coGet hashmaliciousUnknownBrowse
                            • 104.17.2.184

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eNUEVA ORDEN DE COMPRAsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                            • 172.67.74.152
                            proforma invoice.bit.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 172.67.74.152
                            INV 0983 OSY 240524_PDF.exeGet hashmaliciousAgentTeslaBrowse
                            • 172.67.74.152
                            PO_27052024.exeGet hashmaliciousAgentTeslaBrowse
                            • 172.67.74.152
                            01vwXiyQ8K.exeGet hashmaliciousQuasarBrowse
                            • 172.67.74.152
                            xA4LQYIndy.exeGet hashmaliciousDCRatBrowse
                            • 172.67.74.152
                            https://kruekanlogin.gitbook.io/Get hashmaliciousUnknownBrowse
                            • 172.67.74.152
                            https://fbreview-requestnow.github.io/ajazGet hashmaliciousUnknownBrowse
                            • 172.67.74.152
                            https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDEGet hashmaliciousDCRatBrowse
                            • 172.67.74.152
                            wtrD6RiHlm.exeGet hashmaliciousRedLineBrowse
                            • 172.67.74.152

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DRAWING_SHEET_P0_b088b2a1ea814e2a8d34d4abad448ba01bd6d55_a0fac049_8c9e2797-37ac-4a2f-8c4c-14b00a3cae93\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.008734203284085
                            Encrypted:false
                            SSDEEP:192:dfI+T/havE0UnUVaWBHpSszuiFaZ24lO8un:mCha/UnUVamHcszuiFaY4lO8m
                            MD5:58A51B70160DB4FB50644AF698EA165B
                            SHA1:A3F493B724B84BFA49C7C1970D79968BFDD09D14
                            SHA-256:7ED1883088F1FF8B9F1AEAD8D341366DFB90D85A4645A3FBD574283EF78D73B6
                            SHA-512:E3442ABD6D0E8A1CB2476BEDB49125FBD3E977EF958F3B050B1276D2E12989B2DE631E842366AFD6FC8B57AB269D1772AC0A91A8B08712BA2C5B41C8EA62A38A
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.2.7.9.1.9.5.2.1.5.8.9.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.2.7.9.1.9.5.7.4.7.1.5.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.9.e.2.7.9.7.-.3.7.a.c.-.4.a.2.f.-.8.c.4.c.-.1.4.b.0.0.a.3.c.a.e.9.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.a.1.8.9.d.e.-.0.f.1.3.-.4.e.a.7.-.b.d.5.1.-.8.c.c.9.3.2.3.c.9.f.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.R.A.W.I.N.G._.S.H.E.E.T._.P.0.2.4.0.5.9.1.2.9.1.6. ...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.s.i.a.M.o.r.n.i.n.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.b.c.-.0.0.0.1.-.0.0.1.4.-.c.7.b.1.-.2.2.5.7.2.0.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.6.e.3.5.0.8.f.a.5.c.8.f.c.8.2.7.9.c.9.f.a.6.a.d.c.8.5.9.a.2.0.0.0.0.0.0.0.0.!.0.0.0.0.7.6.c.6.d.f.2.7.f.5.1.e.1.8.4.5.0.9.b.8.1.8.1.2.5.8.9.a.5.9.e.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8A7.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 16 streams, Mon May 27 10:26:35 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):391458
                            Entropy (8bit):3.2910056862527832
                            Encrypted:false
                            SSDEEP:3072:6CHX0PQVcSrg1vAKij81CCq+h3+vvwFgoc4ipL:6V0sRiGqs3QSWZp
                            MD5:0E80CCD006800771C31AAFECF8CC6DCA
                            SHA1:4BB53964590157923A3C6E71F63C1196D0E48318
                            SHA-256:99A68F47074DB526E6C58507B2BB02725D2668768D20075B7590049306B8AEEF
                            SHA-512:5430889EACE7396528F4C191A4CFA178680E511066D97F5E45CBA16086A68751BC40554781FC11C409B999CB3CCAC21C876E4BB23FB5280145BCEAA76F494748
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... ........_Tf....................................$...............(.......dH..Fv..........l.......8...........T...........`(...............9...........:..............................................................................eJ.......;......Lw......................T............_Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9E0.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8666
                            Entropy (8bit):3.716205473846341
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJHku6YSLwVFgmf4MrprH89bFNAfy3m:R6lXJEu6Y+wVFgmf4MeF6f7
                            MD5:F6A868449980FE9F8E0BA884078659C4
                            SHA1:95590216A2B17E4909CBF48A41309C2296C6B72E
                            SHA-256:53B8231D093B3DFD1087B33890749F83BD266827A4E50B9284673D3E6C6B8FD5
                            SHA-512:242B754E9D67D789DFF10371925139BAD89B1115937711636EF532BBA352B4142979EF934A667CE40D7CF179E41467F1EA76058ECE57E29A50C3E9EC1CBAA3DF
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.2.8.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA10.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4844
                            Entropy (8bit):4.577948559647039
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsUJg771I97wWpW8VYMYm8M4JA/vQFKcyq85sIc5K3wItIcPd:uIjfSI78J7VoJA/Dclc3wItI8d
                            MD5:D0986D4CAC5E1E25A1716252C0A17239
                            SHA1:5FD947CBB293A545A484D3EF24665227BC5D9257
                            SHA-256:872D78584F86174137650B45CE9DF8EC1B3914DA67BDF51908491B0441EE74D1
                            SHA-512:9B36F639C3B2C868992D694C38D8137840C1AC2391C040427B6568BE06CC02EB39A61DA791936E3946BB41B39B1F10493A01A658A9DB317F2F89330E59C39B63
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="341369" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.372398453063531
                            Encrypted:false
                            SSDEEP:6144:qFVfpi6ceLP/9skLmb0nyWWSPtaJG8nAge35OlMMhA2AX4WABlguNmiL:CV19yWWI/glMM6kF7oq
                            MD5:903A190F414B0D20C843478511510D99
                            SHA1:7FBE0949D0D2EEE38E1C3C026508146683B0B373
                            SHA-256:E67089628F204ABAE5B4FF079AEC3826762D068E8A5A05D11CF422B4025E1E65
                            SHA-512:C8C2D899EBFAC287C1FDA82715DE2713295A86C79237F40DEC2C82F55FF2AD3A0C15538949944D77D9212235D06EE618813DF13B24EA9E8A9F7C74FDBC7EE9C9
                            Malicious:false
                            Reputation:low
                            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB..Y ................................................................................................................................................................................................................................................................................................................................................u.m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.790001715501068
                            TrID:
                            • Win64 Executable GUI Net Framework (217006/5) 49.88%
                            • Win64 Executable GUI (202006/5) 46.43%
                            • Win64 Executable (generic) (12005/4) 2.76%
                            • Generic Win/DOS Executable (2004/3) 0.46%
                            • DOS Executable Generic (2002/1) 0.46%
                            File name:DRAWING_SHEET_P02405912916 .exe
                            File size:811'981 bytes
                            MD5:55ec2edc07564f96fadc8681055baf07
                            SHA1:76c6df27f51e184509b81812589a59e9aa552f9c
                            SHA256:e6bb64329e3641fc55e523d5778edeae726d41e3481e26fd0855e1710508cc7b
                            SHA512:e608b0e0533095390c1502237a2520a47a73c22f44ec770053c0696517b366192f95eb678314c0ff23c4d25e4553ecc06328e5663c60fd310c408480b02917ba
                            SSDEEP:12288:JDkAKHUnZJWA1m70Z/bil4pOgpU9v3JD7ORS/EMpxeW:JtK0nZJWumwFa47pU9/wUp
                            TLSH:AC0512BC76AF9E83D7BDC674E12161018BB9A0137B43E706C504E8DE0E127C666568EF
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...#G............"...0..g..\............ ....@...... ....................................`................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x400000
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xACD24723 [Thu Nov 17 14:05:23 2061 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:

                            Entrypoint Preview

                            Instruction
                            dec ebp
                            pop edx
                            nop
                            add byte ptr [ebx], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x35c.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x387680x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x367840x368002254db206425a6cd5cc5748fbb77b5abFalse0.5601526662844036data6.356905705356032IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x3a0000x35c0x400725380ceea7cb4798ffb7ee981170699False0.3505859375data2.7092544734172037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x3a0580x304data0.4261658031088083

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 27, 2024 12:26:27.561940908 CEST4967780192.168.2.8192.229.211.108
                            May 27, 2024 12:26:30.514995098 CEST49673443192.168.2.823.206.229.226
                            May 27, 2024 12:26:30.827639103 CEST49672443192.168.2.823.206.229.226
                            May 27, 2024 12:26:31.265054941 CEST49676443192.168.2.852.182.143.211
                            May 27, 2024 12:26:32.530610085 CEST49671443192.168.2.8204.79.197.203
                            May 27, 2024 12:26:32.890140057 CEST4967780192.168.2.8192.229.211.108
                            May 27, 2024 12:26:36.453241110 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:36.453288078 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:36.453353882 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:36.499742031 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:36.499775887 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:36.994316101 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:36.994426966 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:36.998353958 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:36.998367071 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:36.998811960 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:37.046210051 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:37.051131010 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:37.094532967 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:37.220448971 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:37.220535994 CEST44349705172.67.74.152192.168.2.8
                            May 27, 2024 12:26:37.220587969 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:37.226619959 CEST49705443192.168.2.8172.67.74.152
                            May 27, 2024 12:26:37.819555044 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:37.826430082 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:37.826508999 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:38.859607935 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:38.859814882 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:38.864717960 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.052341938 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.052495956 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.057461977 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.246319056 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.246942043 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.251823902 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.448019981 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.448039055 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.448051929 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.448064089 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.448139906 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.448139906 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.534554958 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.562220097 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.567168951 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.755116940 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.757997990 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.762912035 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.981606007 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:39.982667923 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:39.987564087 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.124346018 CEST49673443192.168.2.823.206.229.226
                            May 27, 2024 12:26:40.175823927 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.176908016 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.181862116 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.384634972 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.385324001 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.390181065 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.436827898 CEST49672443192.168.2.823.206.229.226
                            May 27, 2024 12:26:40.577971935 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.578216076 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.583188057 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.787401915 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.787697077 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.792612076 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.874327898 CEST49676443192.168.2.852.182.143.211
                            May 27, 2024 12:26:40.980164051 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.983258963 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.983315945 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.983315945 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.984203100 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:40.988295078 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.988327026 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.988337994 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:40.989006042 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:41.299314976 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:26:41.343086004 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:26:42.176721096 CEST4434970423.206.229.226192.168.2.8
                            May 27, 2024 12:26:42.176810026 CEST49704443192.168.2.823.206.229.226
                            May 27, 2024 12:26:43.514962912 CEST4967780192.168.2.8192.229.211.108
                            May 27, 2024 12:27:21.956506968 CEST4970380192.168.2.895.101.54.129
                            May 27, 2024 12:27:21.963407040 CEST804970395.101.54.129192.168.2.8
                            May 27, 2024 12:27:21.963469982 CEST4970380192.168.2.895.101.54.129
                            May 27, 2024 12:28:17.749365091 CEST49707587192.168.2.8179.43.183.46
                            May 27, 2024 12:28:17.754437923 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:28:18.134430885 CEST58749707179.43.183.46192.168.2.8
                            May 27, 2024 12:28:18.135097027 CEST49707587192.168.2.8179.43.183.46

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 27, 2024 12:26:36.430185080 CEST5766053192.168.2.81.1.1.1
                            May 27, 2024 12:26:36.438568115 CEST53576601.1.1.1192.168.2.8
                            May 27, 2024 12:26:37.722546101 CEST6082353192.168.2.81.1.1.1
                            May 27, 2024 12:26:37.818027020 CEST53608231.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            May 27, 2024 12:26:36.430185080 CEST192.168.2.81.1.1.10x49b7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                            May 27, 2024 12:26:37.722546101 CEST192.168.2.81.1.1.10x38bcStandard query (0)mail.officeemailbackup.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            May 27, 2024 12:26:36.438568115 CEST1.1.1.1192.168.2.80x49b7No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                            May 27, 2024 12:26:36.438568115 CEST1.1.1.1192.168.2.80x49b7No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                            May 27, 2024 12:26:36.438568115 CEST1.1.1.1192.168.2.80x49b7No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                            May 27, 2024 12:26:37.818027020 CEST1.1.1.1192.168.2.80x38bcNo error (0)mail.officeemailbackup.comofficeemailbackup.comCNAME (Canonical name)IN (0x0001)false
                            May 27, 2024 12:26:37.818027020 CEST1.1.1.1192.168.2.80x38bcNo error (0)officeemailbackup.com179.43.183.46A (IP address)IN (0x0001)false
                            May 27, 2024 12:26:51.199331045 CEST1.1.1.1192.168.2.80xb01No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            May 27, 2024 12:26:51.199331045 CEST1.1.1.1192.168.2.80xb01No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                            May 27, 2024 12:27:03.586246014 CEST1.1.1.1192.168.2.80x3c10No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            May 27, 2024 12:27:03.586246014 CEST1.1.1.1192.168.2.80x3c10No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • api.ipify.org

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.849705172.67.74.1524434708C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            TimestampBytes transferredDirectionData
                            2024-05-27 10:26:37 UTC155OUTGET / HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                            Host: api.ipify.org
                            Connection: Keep-Alive
                            2024-05-27 10:26:37 UTC211INHTTP/1.1 200 OK
                            Date: Mon, 27 May 2024 10:26:37 GMT
                            Content-Type: text/plain
                            Content-Length: 12
                            Connection: close
                            Vary: Origin
                            CF-Cache-Status: DYNAMIC
                            Server: cloudflare
                            CF-RAY: 88a54ec5ea4680d9-EWR
                            2024-05-27 10:26:37 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                            Data Ascii: 8.46.123.175


                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            May 27, 2024 12:26:38.859607935 CEST58749707179.43.183.46192.168.2.8220-cphost21.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 27 May 2024 12:26:38 +0200
                            220-We do not authorize the use of this system to transport unsolicited,
                            220 and/or bulk e-mail.
                            May 27, 2024 12:26:38.859814882 CEST49707587192.168.2.8179.43.183.46EHLO 648351
                            May 27, 2024 12:26:39.052341938 CEST58749707179.43.183.46192.168.2.8250-cphost21.qhoster.net Hello 648351 [8.46.123.175]
                            250-SIZE 52428800
                            250-8BITMIME
                            250-PIPELINING
                            250-PIPECONNECT
                            250-STARTTLS
                            250 HELP
                            May 27, 2024 12:26:39.052495956 CEST49707587192.168.2.8179.43.183.46STARTTLS
                            May 27, 2024 12:26:39.246319056 CEST58749707179.43.183.46192.168.2.8220 TLS go ahead

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:26:30
                            Start date:27/05/2024
                            Path:C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe"
                            Imagebase:0x1dfc92f0000
                            File size:811'981 bytes
                            MD5 hash:55EC2EDC07564F96FADC8681055BAF07
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1460235392.000001DFCB43B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:06:26:34
                            Start date:27/05/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                            Imagebase:0x910000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2625649867.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2625649867.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2625649867.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:3
                            Start time:06:26:34
                            Start date:27/05/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                            Imagebase:0xd40000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:6
                            Start time:06:26:35
                            Start date:27/05/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 4028 -s 1016
                            Imagebase:0x7ff6f7470000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:11.9%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:7
                              Total number of Limit Nodes:0
                              execution_graph 16331 7ffb4b1b59a9 16332 7ffb4b1b59af VirtualProtect 16331->16332 16334 7ffb4b1b5ad9 16332->16334 16335 7ffb4b1b599c 16336 7ffb4b1b59e7 VirtualProtect 16335->16336 16337 7ffb4b1b599f 16335->16337 16339 7ffb4b1b5ad9 16336->16339

                              Executed Functions

                              Function 00007FFB4B1B09F2 Relevance: 4.3, Strings: 3, Instructions: 501COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: qK$0qK$@qK
                              • API String ID: 0-1291200079
                              • Opcode ID: 8595515d5a768de754963cf0c6236b4a92ddd57efb46308579ca80b7e91262c4
                              • Instruction ID: 8da316772c7cd8bb56d347b719c12c72dc6763d563ace1fd88ad379dbe6b6205
                              • Opcode Fuzzy Hash: 8595515d5a768de754963cf0c6236b4a92ddd57efb46308579ca80b7e91262c4
                              • Instruction Fuzzy Hash: EDD147A2B1D5524AE3067B7CFC192F96F95DF85B35B0841BBE18DCA0D3CD18688B46E0
                              Function 00007FFB4B1B0AD3 Relevance: 4.1, Strings: 3, Instructions: 394COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: qK$0qK$@qK
                              • API String ID: 0-1291200079
                              • Opcode ID: dd777d117935da9edcd3df40add49709263e6f3130ca6e2cbb268002b94fd481
                              • Instruction ID: cf61659f429068b19cb5ac5e560bed14b69fb8d68b55e1fa27afd9ea3da43575
                              • Opcode Fuzzy Hash: dd777d117935da9edcd3df40add49709263e6f3130ca6e2cbb268002b94fd481
                              • Instruction Fuzzy Hash: B2B14792B1D6424AE3067B7CFC192F96FD5DF85B25F0481FBE18DC61D3CD18288A46A1
                              Function 00007FFB4B1B0AF3 Relevance: 4.1, Strings: 3, Instructions: 384COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: qK$0qK$@qK
                              • API String ID: 0-1291200079
                              • Opcode ID: 49530af5753d8b11d4714ad0005b751735fca10359ba5355e22304de042855e4
                              • Instruction ID: 9046e9a3b5a93ce028795f4b634075815475d01c11d131d7b24a351e37b52793
                              • Opcode Fuzzy Hash: 49530af5753d8b11d4714ad0005b751735fca10359ba5355e22304de042855e4
                              • Instruction Fuzzy Hash: 26B159A2B1D6424AE3067B7CFC192F96BD5DF85B24F0881FBE18DC61D3CD18688646A1
                              Function 00007FFB4B1B0AC8 Relevance: 4.1, Strings: 3, Instructions: 379COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: qK$0qK$@qK
                              • API String ID: 0-1291200079
                              • Opcode ID: f12b95b1662c568d4010e264541c00bfb00714283b6d5d44af838f4e43c9ebb0
                              • Instruction ID: 5cdfeefc88509919ace7fe25917a6d8d3364476a95a19d7431e000a853f5e509
                              • Opcode Fuzzy Hash: f12b95b1662c568d4010e264541c00bfb00714283b6d5d44af838f4e43c9ebb0
                              • Instruction Fuzzy Hash: 32B149A2B1D6424AE3067B7CFC192F96BD5DF85B24F0881FBE18DC61D3CD18288646A1
                              Function 00007FFB4B1B1045 Relevance: 3.3, Strings: 2, Instructions: 812COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 647 7ffb4b1b1045-7ffb4b1b109f call 7ffb4b1b0650 651 7ffb4b1b10a4-7ffb4b1b10b0 647->651 652 7ffb4b1b10b6-7ffb4b1b10c9 call 7ffb4b1b04f8 651->652 653 7ffb4b1b12b1-7ffb4b1b12b6 651->653 661 7ffb4b1b111e-7ffb4b1b112a 652->661 662 7ffb4b1b10cb 652->662 654 7ffb4b1b12bc-7ffb4b1b12d4 call 7ffb4b1b06a0 653->654 655 7ffb4b1b17a0-7ffb4b1b1879 call 7ffb4b1b06c8 653->655 722 7ffb4b1b1880-7ffb4b1b1882 655->722 664 7ffb4b1b1163-7ffb4b1b1179 call 7ffb4b1b04f8 661->664 665 7ffb4b1b112c-7ffb4b1b1136 661->665 666 7ffb4b1b10d0-7ffb4b1b10dc 662->666 676 7ffb4b1b117b-7ffb4b1b1184 664->676 677 7ffb4b1b118c-7ffb4b1b1196 664->677 669 7ffb4b1b1a77-7ffb4b1b1a86 665->669 670 7ffb4b1b113c-7ffb4b1b114f call 7ffb4b1b05e8 665->670 666->664 667 7ffb4b1b10e2-7ffb4b1b10ec 666->667 667->669 671 7ffb4b1b10f2-7ffb4b1b1105 call 7ffb4b1b05f0 667->671 680 7ffb4b1b111b 670->680 681 7ffb4b1b1151-7ffb4b1b1155 670->681 688 7ffb4b1b1107-7ffb4b1b110b 671->688 689 7ffb4b1b10cd 671->689 683 7ffb4b1b118a 676->683 684 7ffb4b1b121b-7ffb4b1b121f 676->684 677->669 685 7ffb4b1b119c-7ffb4b1b11af call 7ffb4b1b05e8 677->685 680->661 681->664 687 7ffb4b1b1157-7ffb4b1b1161 call 7ffb4b1b0600 681->687 690 7ffb4b1b11cc-7ffb4b1b11e4 683->690 691 7ffb4b1b12d5-7ffb4b1b12dd 684->691 692 7ffb4b1b1225-7ffb4b1b122c 684->692 711 7ffb4b1b11c1-7ffb4b1b11c2 685->711 712 7ffb4b1b11b1-7ffb4b1b11bf call 7ffb4b1b05f8 685->712 687->664 687->680 688->664 698 7ffb4b1b110d-7ffb4b1b1117 call 7ffb4b1b0600 688->698 689->666 696 7ffb4b1b11e6-7ffb4b1b11ee call 7ffb4b1b0618 690->696 697 7ffb4b1b11f3-7ffb4b1b11f5 690->697 702 7ffb4b1b12f8-7ffb4b1b12fc 691->702 703 7ffb4b1b12df-7ffb4b1b12f4 691->703 699 7ffb4b1b1246-7ffb4b1b124a 692->699 700 7ffb4b1b122e-7ffb4b1b1242 692->700 696->697 697->684 709 7ffb4b1b11f7-7ffb4b1b1202 697->709 698->689 729 7ffb4b1b1119 698->729 706 7ffb4b1b1250-7ffb4b1b1255 699->706 713 7ffb4b1b1948-7ffb4b1b19d8 699->713 700->699 705 7ffb4b1b1302-7ffb4b1b1306 702->705 702->706 703->702 705->713 716 7ffb4b1b130c-7ffb4b1b1314 call 7ffb4b1b0658 705->716 721 7ffb4b1b125b-7ffb4b1b1270 call 7ffb4b1b04f8 706->721 706->722 709->669 717 7ffb4b1b1208-7ffb4b1b1216 call 7ffb4b1b0678 709->717 715 7ffb4b1b11c7-7ffb4b1b11ca 711->715 712->715 772 7ffb4b1b19df-7ffb4b1b1a76 713->772 715->684 715->690 737 7ffb4b1b129d-7ffb4b1b12ab 716->737 717->684 742 7ffb4b1b1288-7ffb4b1b129a call 7ffb4b1b07b0 721->742 743 7ffb4b1b1272-7ffb4b1b1282 call 7ffb4b1b0600 721->743 725 7ffb4b1b1884-7ffb4b1b18bd 722->725 726 7ffb4b1b18bf-7ffb4b1b18e8 call 7ffb4b1b01c8 722->726 751 7ffb4b1b18ea-7ffb4b1b1941 725->751 726->751 729->664 737->652 737->653 742->737 743->742 755 7ffb4b1b1524-7ffb4b1b1534 743->755 751->713 755->669 757 7ffb4b1b153a-7ffb4b1b1548 755->757 757->737 762 7ffb4b1b154e-7ffb4b1b1552 757->762 763 7ffb4b1b1558-7ffb4b1b155c 762->763 764 7ffb4b1b15eb-7ffb4b1b15ef 762->764 770 7ffb4b1b16c5-7ffb4b1b16d0 763->770 771 7ffb4b1b1562-7ffb4b1b1566 763->771 768 7ffb4b1b15f5-7ffb4b1b15f9 764->768 769 7ffb4b1b16d7-7ffb4b1b16e2 764->769 768->772 773 7ffb4b1b15ff-7ffb4b1b1614 call 7ffb4b1b0528 768->773 776 7ffb4b1b16e9-7ffb4b1b16f4 call 7ffb4b1b0528 769->776 770->769 771->772 774 7ffb4b1b156c-7ffb4b1b1588 call 7ffb4b1b04f8 771->774 772->669 788 7ffb4b1b1616-7ffb4b1b1622 773->788 789 7ffb4b1b166b-7ffb4b1b1670 773->789 790 7ffb4b1b15a9-7ffb4b1b15ad 774->790 791 7ffb4b1b158a-7ffb4b1b1594 774->791 776->789 788->789 796 7ffb4b1b1624-7ffb4b1b162d 788->796 794 7ffb4b1b169b-7ffb4b1b16b6 call 7ffb4b1b07b0 789->794 795 7ffb4b1b1672-7ffb4b1b167b 789->795 792 7ffb4b1b15b3-7ffb4b1b15e0 call 7ffb4b1b07a8 call 7ffb4b1b07b0 790->792 793 7ffb4b1b1709-7ffb4b1b175a 790->793 791->669 797 7ffb4b1b159a-7ffb4b1b15a3 791->797 792->762 818 7ffb4b1b15e6 792->818 824 7ffb4b1b175c-7ffb4b1b178e 793->824 825 7ffb4b1b1792-7ffb4b1b1799 793->825 794->737 795->794 801 7ffb4b1b167d-7ffb4b1b168a 795->801 796->669 804 7ffb4b1b1633-7ffb4b1b163c 796->804 797->790 798 7ffb4b1b16f9-7ffb4b1b1703 797->798 798->792 798->793 801->669 806 7ffb4b1b1690-7ffb4b1b1699 801->806 804->789 808 7ffb4b1b163e-7ffb4b1b164b 804->808 806->794 813 7ffb4b1b16bb-7ffb4b1b16be 806->813 809 7ffb4b1b1665-7ffb4b1b1666 808->809 810 7ffb4b1b164d-7ffb4b1b1650 808->810 809->789 810->669 816 7ffb4b1b1656-7ffb4b1b165f 810->816 813->770 816->776 816->809 818->737 824->825 825->655
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: 8gK$W
                              • API String ID: 0-1701587082
                              • Opcode ID: 27d5d4fdbcff255579ff63975712198379faa25c3b6fb3039cf839b2de0c475a
                              • Instruction ID: bc639482115eddd4a4195d0df6f1959930c54e6fc7775e7475b1f377f1ef6c66
                              • Opcode Fuzzy Hash: 27d5d4fdbcff255579ff63975712198379faa25c3b6fb3039cf839b2de0c475a
                              • Instruction Fuzzy Hash: 9042F170A2CA068FE759FF38C15567973E2FF89704B15857DD48EC72A6CE28B8528B40
                              Function 00007FFB4B1B92D8 Relevance: 2.8, Strings: 1, Instructions: 1579COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 904 7ffb4b1b92d8-7ffb4b1cc548 906 7ffb4b1cc54a-7ffb4b1cc551 904->906 907 7ffb4b1cc592 904->907 908 7ffb4b1cc553-7ffb4b1cc558 906->908 909 7ffb4b1cc562-7ffb4b1cc56c 906->909 910 7ffb4b1cc599-7ffb4b1cc5a3 907->910 908->909 909->910 911 7ffb4b1cc56e-7ffb4b1cc591 909->911 912 7ffb4b1cc5d7-7ffb4b1cc5ff 910->912 913 7ffb4b1cc5a5-7ffb4b1cc5b3 910->913 911->907 926 7ffb4b1cc600-7ffb4b1cc604 912->926 914 7ffb4b1cc5b5-7ffb4b1cc5b8 913->914 915 7ffb4b1cc60c 913->915 916 7ffb4b1cc639-7ffb4b1cc63d 914->916 917 7ffb4b1cc5ba-7ffb4b1cc5bc 914->917 919 7ffb4b1cc632-7ffb4b1cc633 915->919 920 7ffb4b1cc60e-7ffb4b1cc631 915->920 923 7ffb4b1cc63e 916->923 921 7ffb4b1cc638 917->921 922 7ffb4b1cc5be 917->922 919->921 930 7ffb4b1cc766-7ffb4b1cc777 919->930 920->919 921->916 922->926 927 7ffb4b1cc5c0-7ffb4b1cc5c2 922->927 928 7ffb4b1cc644-7ffb4b1cc693 call 7ffb4b1bdc60 * 2 call 7ffb4b1b9f60 923->928 929 7ffb4b1cc63f-7ffb4b1cc641 923->929 933 7ffb4b1cc606-7ffb4b1cc60b 926->933 927->923 931 7ffb4b1cc5c4 927->931 928->930 958 7ffb4b1cc699-7ffb4b1cc6c2 928->958 929->928 940 7ffb4b1cc7b9-7ffb4b1cc7be 930->940 941 7ffb4b1cc779-7ffb4b1cc79c 930->941 931->933 934 7ffb4b1cc5c6-7ffb4b1cc5c8 931->934 933->915 934->928 936 7ffb4b1cc5ca 934->936 936->915 939 7ffb4b1cc5cc-7ffb4b1cc5d6 936->939 945 7ffb4b1cc837-7ffb4b1cc839 940->945 946 7ffb4b1cc7c0-7ffb4b1cc7c9 940->946 949 7ffb4b1cc7e6-7ffb4b1cc836 call 7ffb4b1bdc60 * 2 call 7ffb4b1bfdc0 941->949 950 7ffb4b1cc79e-7ffb4b1cc7b8 941->950 947 7ffb4b1cc852-7ffb4b1cc85d 945->947 948 7ffb4b1cc83b-7ffb4b1cc848 945->948 952 7ffb4b1cc7ca-7ffb4b1cc7d4 946->952 953 7ffb4b1cc974-7ffb4b1cc97a 946->953 967 7ffb4b1cc86f 947->967 968 7ffb4b1cc85f-7ffb4b1cc86d 947->968 948->947 961 7ffb4b1cc84a-7ffb4b1cc850 948->961 949->945 950->940 954 7ffb4b1cc7da-7ffb4b1cc7e3 952->954 955 7ffb4b1cc7d6-7ffb4b1cc7d7 952->955 966 7ffb4b1cc97c-7ffb4b1cc989 953->966 954->949 955->954 962 7ffb4b1cc6c8 958->962 963 7ffb4b1cc6c4-7ffb4b1cc6c6 958->963 961->947 965 7ffb4b1cc6cd-7ffb4b1cc700 962->965 963->965 965->930 972 7ffb4b1cc702-7ffb4b1cc72a 965->972 970 7ffb4b1cc98b 966->970 971 7ffb4b1cc98d-7ffb4b1cc997 966->971 973 7ffb4b1cc871-7ffb4b1cc876 967->973 968->973 970->971 976 7ffb4b1cc9cd-7ffb4b1cc9df 970->976 977 7ffb4b1cc999-7ffb4b1cc9c9 971->977 978 7ffb4b1cc73a-7ffb4b1cc744 972->978 979 7ffb4b1cc72c-7ffb4b1cc738 972->979 980 7ffb4b1cc878-7ffb4b1cc897 call 7ffb4b1b5e18 973->980 981 7ffb4b1cc899-7ffb4b1cc8a9 973->981 994 7ffb4b1cc9e2 976->994 1012 7ffb4b1cca19-7ffb4b1cca2f 977->1012 1013 7ffb4b1cc9cc 977->1013 983 7ffb4b1cc752-7ffb4b1cc765 978->983 984 7ffb4b1cc746-7ffb4b1cc74f 978->984 979->983 991 7ffb4b1cc8ee-7ffb4b1cc8f4 980->991 987 7ffb4b1cc8bb-7ffb4b1cc8da 981->987 988 7ffb4b1cc8ab-7ffb4b1cc8b9 981->988 984->983 987->991 999 7ffb4b1cc8dc-7ffb4b1cc8ec 987->999 988->991 995 7ffb4b1cc965-7ffb4b1cc973 991->995 996 7ffb4b1cc8f6-7ffb4b1cc8fb 991->996 1000 7ffb4b1cc9e4-7ffb4b1cca08 994->1000 1001 7ffb4b1cca31-7ffb4b1cca48 994->1001 995->953 996->966 997 7ffb4b1cc8fd-7ffb4b1cc92b call 7ffb4b1ba300 call 7ffb4b1b9f60 996->997 997->953 1020 7ffb4b1cc92d-7ffb4b1cc94f 997->1020 999->991 1005 7ffb4b1cc950-7ffb4b1cc963 999->1005 1000->977 1019 7ffb4b1cca0a-7ffb4b1cca17 1000->1019 1001->994 1015 7ffb4b1cca4a-7ffb4b1ccdba call 7ffb4b1b9ca0 1001->1015 1005->995 1012->1001 1013->976 1026 7ffb4b1ccdbf-7ffb4b1ccdd4 call 7ffb4b1b9c98 1015->1026 1019->1012 1029 7ffb4b1ccdd6-7ffb4b1ccdef 1026->1029 1030 7ffb4b1ccdf1-7ffb4b1ccdf2 1026->1030 1031 7ffb4b1ccdf7-7ffb4b1cce0c 1029->1031 1030->1031 1032 7ffb4b1cce19-7ffb4b1cce1a 1031->1032 1033 7ffb4b1cce0e-7ffb4b1cce17 1031->1033 1034 7ffb4b1cce1d-7ffb4b1cce24 1032->1034 1033->1034 1035 7ffb4b1cce35-7ffb4b1cce38 1034->1035 1036 7ffb4b1cce26-7ffb4b1cce33 1034->1036 1037 7ffb4b1cce3a-7ffb4b1cce49 1035->1037 1036->1037 1039 7ffb4b1ccea1-7ffb4b1ccea5 1037->1039 1040 7ffb4b1cce4b-7ffb4b1cce6d call 7ffb4b1cce6e 1037->1040 1041 7ffb4b1ccea7-7ffb4b1ccea8 1039->1041 1042 7ffb4b1cceaa-7ffb4b1cceb9 1039->1042 1041->1042 1045 7ffb4b1ccebb 1042->1045 1046 7ffb4b1ccebc-7ffb4b1ccf30 call 7ffb4b1b61c0 1042->1046 1045->1046 1055 7ffb4b1ccf44-7ffb4b1ccf4f 1046->1055 1056 7ffb4b1ccf32-7ffb4b1ccf43 1046->1056 1056->1055
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: c
                              • API String ID: 0-112844655
                              • Opcode ID: 5ce218a19439f4557fe6743cc2fc40409b4cf5a156802446d63394fe62b49492
                              • Instruction ID: 8525d4b98c3038041b5aa897e520a43f5f8e8ae4b4eb9a3628f6b095673ae432
                              • Opcode Fuzzy Hash: 5ce218a19439f4557fe6743cc2fc40409b4cf5a156802446d63394fe62b49492
                              • Instruction Fuzzy Hash: C3328971A1D6868FE359EF39C4551B57BF1EF81304B1881BED08AC71E2DE28AC46CB81
                              Function 00007FFB4B1C1709 Relevance: 2.8, Strings: 1, Instructions: 1569COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: H>$K
                              • API String ID: 0-1106714346
                              • Opcode ID: 6263196ae608f3dabe7d1fea55771af59143fe4a02d22dae89432218c187f458
                              • Instruction ID: 172b771279ffcd9e4baec386449f3d6c130e5c5959bd11f1fae981e2c5c8bac1
                              • Opcode Fuzzy Hash: 6263196ae608f3dabe7d1fea55771af59143fe4a02d22dae89432218c187f458
                              • Instruction Fuzzy Hash: 93B2357062CB494FD719EF38C4804A5B7E2FF95305B1485BEE58AC72A6DE34E846CB81
                              Function 00007FFB4B1BB540 Relevance: 2.8, Strings: 1, Instructions: 1501COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: f&K
                              • API String ID: 0-1171631576
                              • Opcode ID: 04b85c30d093baf175f2a6c1a603a4216503be4ae1e55609ed3220f07ddc9d1d
                              • Instruction ID: f75d87708d987300dd1cb80cf68b3398ddb55991183740104f1850c4946ea245
                              • Opcode Fuzzy Hash: 04b85c30d093baf175f2a6c1a603a4216503be4ae1e55609ed3220f07ddc9d1d
                              • Instruction Fuzzy Hash: B7B2C0B0A1CA498FE7A9EF29D4956B877F1FF55304F1441BAD04EC72A2DA38AC41CB41
                              Function 00007FFB4B1BEB81 Relevance: 2.7, Strings: 1, Instructions: 1456COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: hy&K
                              • API String ID: 0-2787526675
                              • Opcode ID: eb881a95c04c028fa8c254ad8bcb300382d5fab008a3e3d8d6bb4e372d04539f
                              • Instruction ID: 4ae579f6dd0cf1a66efac249bfb841d664cf004ef3a48626b0c109b57ea18f42
                              • Opcode Fuzzy Hash: eb881a95c04c028fa8c254ad8bcb300382d5fab008a3e3d8d6bb4e372d04539f
                              • Instruction Fuzzy Hash: B5A2287151CB4A8FE759EF38C4944A5B7E1FF95304B1489BED48AC72B2DA38E846CB40
                              Function 00007FFB4B2A0001 Relevance: 2.2, Instructions: 2173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1464619555.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b2a0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 54822f8d3ff49c0358d2c69cbe1bdad5b3d6e2cd44d452ae0b5dbc792cb1bc9e
                              • Instruction ID: d9dd4867e60297ee719d131cc67c7eae9ab6379cd2811edabfb0d83ba94e35bc
                              • Opcode Fuzzy Hash: 54822f8d3ff49c0358d2c69cbe1bdad5b3d6e2cd44d452ae0b5dbc792cb1bc9e
                              • Instruction Fuzzy Hash: E0E2F3B280DBC64FE756FF38C8A55A57FE0EF5A300F0845FAD189CB1A2D9296805C791
                              Function 00007FFB4B1B74A0 Relevance: 2.0, Strings: 1, Instructions: 734COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: 4b989b981ab8600658bc82c89e89c26a6fb48e464b51f40bf0050b2ef69b1fb1
                              • Instruction ID: d79575dc119f3db09fc00c7320f6d369663550d9662fd3b2e3d01a86f6a77e63
                              • Opcode Fuzzy Hash: 4b989b981ab8600658bc82c89e89c26a6fb48e464b51f40bf0050b2ef69b1fb1
                              • Instruction Fuzzy Hash: 6C2236B192CA894FE34AEF38C88157177E1EF46714B1481BAC59EC71A7DD28E843CB81
                              Function 00007FFB4B1B7048 Relevance: 1.7, Strings: 1, Instructions: 466COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: fish
                              • API String ID: 0-1064584243
                              • Opcode ID: 3e5bbd14d4549e36d443eb4351f428afb51a07c33d4a36930629f87ee99b9716
                              • Instruction ID: bf128c0699326abf59a52d53819a6c08d339400c2e2a16e61c99a7027abe0511
                              • Opcode Fuzzy Hash: 3e5bbd14d4549e36d443eb4351f428afb51a07c33d4a36930629f87ee99b9716
                              • Instruction Fuzzy Hash: B8D15B7162CA4A4FE74DFF38D8551B577E1EF96714B0481BEE58BC32E2DD14A8028B81
                              Function 00007FFB4B1B1DB3 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID: c)
                              • API String ID: 0-3897767060
                              • Opcode ID: 4c54a65479f0b1cc017a58d43deec1baeb2d3335938b5a68a2e3e86f2fb45db2
                              • Instruction ID: a8dc7cd4a31a7c862786c8a17c851fb7b68000df9ca06b1d541c8fbbeae36bd9
                              • Opcode Fuzzy Hash: 4c54a65479f0b1cc017a58d43deec1baeb2d3335938b5a68a2e3e86f2fb45db2
                              • Instruction Fuzzy Hash: 70819291B2C9094BE798FB3CC869778A6D2EF8CB50F548579E14DC32D6DC28BC018B95
                              Function 00007FFB4B1C2E9F Relevance: 1.4, Instructions: 1368COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 349549787679100410b0e1f1605b0d7fa98e0586a6d138f707a9f93cfacc0024
                              • Instruction ID: a9e72fda34aac2c0c43b1cd36eaa8b632b53a53244f33641cfe3f084d247f075
                              • Opcode Fuzzy Hash: 349549787679100410b0e1f1605b0d7fa98e0586a6d138f707a9f93cfacc0024
                              • Instruction Fuzzy Hash: D872777152CB894FE369EF38D4415B577E1FF95304B1086BED48AC72A2DE38A846CB81
                              Function 00007FFB4B1BB538 Relevance: .8, Instructions: 791COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b4001ebf811722718fc90543fe008dd767af8af931507ecc15bdfbfaa56326a
                              • Instruction ID: b4bb57c7c8a05b2698e49d17d1d6be5f6dd027959827994fa5181401b6a4acca
                              • Opcode Fuzzy Hash: 3b4001ebf811722718fc90543fe008dd767af8af931507ecc15bdfbfaa56326a
                              • Instruction Fuzzy Hash: 0D32D670A1CA498FDB68EF39C85567977E1EF55304F1441BEE48EC72A2DE24AC42CB81
                              Function 00007FFB4B1BE7A0 Relevance: .4, Instructions: 440COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37a30aa440497471a321279669bd134f85f330a17f2865c5e5207d813753ae26
                              • Instruction ID: 096cfb7e743ee06d25d6a106814f95f3db33702da37ed2ea3d439b8c7de3a75f
                              • Opcode Fuzzy Hash: 37a30aa440497471a321279669bd134f85f330a17f2865c5e5207d813753ae26
                              • Instruction Fuzzy Hash: C9D1667251CB864FE31DDB38C891171BBD2FF95305B148ABED4CAC72B5DA28A446CB81
                              Function 00007FFB4B1C770A Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1d7878ae578aa3aa746041ae35cc5cc6c8f4bd67d208c396c0e21313d2a63c3
                              • Instruction ID: 72d8e5f45af44b4db9e6e68331baf98ebe988b6fde9836f5b1677fdf381a9e92
                              • Opcode Fuzzy Hash: b1d7878ae578aa3aa746041ae35cc5cc6c8f4bd67d208c396c0e21313d2a63c3
                              • Instruction Fuzzy Hash: AF416BB260D7894FD71E9E38C8661B57BE5DB43220B1582BFC587C71A7DC1868078791
                              Function 00007FFB4B1C7761 Relevance: .1, Instructions: 147COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b46e65b77a6a97b95d4f81e6027d090d2070971477c6c5a1ed60903ca7b5f209
                              • Instruction ID: f5f43802618f58a3af7fe28ff89cbcfbb9cb60f5a97188024db644e4f81d4967
                              • Opcode Fuzzy Hash: b46e65b77a6a97b95d4f81e6027d090d2070971477c6c5a1ed60903ca7b5f209
                              • Instruction Fuzzy Hash: 454186B1A0D68A0FD71F9E38C8611A53BA5EB53310B0582FFC587C71E7EC5868068792
                              Function 00007FFB4B1B59A9 Relevance: 1.7, APIs: 1, Instructions: 182memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 8d81b7394170289ea6918d28aa613e14bfe2b8fcc2598f211d475015b175a056
                              • Instruction ID: a8dc74c893d0e13d9d6c92a968ed59dc9942e330394e9b553b41d401c9a14a2f
                              • Opcode Fuzzy Hash: 8d81b7394170289ea6918d28aa613e14bfe2b8fcc2598f211d475015b175a056
                              • Instruction Fuzzy Hash: A2516970918B1C8FDB58EF58C895BE9BBF1FB59314F1042AED44AE3251DB70A981CB81
                              Function 00007FFB4B1B599C Relevance: 1.7, APIs: 1, Instructions: 156memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 0b6900421da020542a6648b5a94bb4d22ba6b0c341e8fe2ec4b1b1952f4b77c2
                              • Instruction ID: 297b1f94868aaf6eac49d0c7f08df52d2a9fc1b2ff94591ed5c4b664e9305dd0
                              • Opcode Fuzzy Hash: 0b6900421da020542a6648b5a94bb4d22ba6b0c341e8fe2ec4b1b1952f4b77c2
                              • Instruction Fuzzy Hash: 2B413A7491861C8FDF48EF58D895AECBBF1FB69315F1052AAC44AE3251DB30A981CF81
                              Function 00007FFB4B2A10FC Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1464619555.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b2a0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9bd6f17cf97c388acd4ccf946892cb32340bca4e9762637e11e2dc38f37df379
                              • Instruction ID: 3fe43fa0fb55748eb7d5be4563d08c97cb6b649b28ca7e0c4ae0654bf1ca4299
                              • Opcode Fuzzy Hash: 9bd6f17cf97c388acd4ccf946892cb32340bca4e9762637e11e2dc38f37df379
                              • Instruction Fuzzy Hash: 23416A7580CA8D8FEB49FF24D8954A87FF0FF5A310B1841BEC04AD71A2DA25E851C780
                              Function 00007FFB4B2A1ED0 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1464619555.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b2a0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ff5cbffb84039a93e457bd3c4ab431a9ed88b71bf2e95a914a69b56d6fe17d2
                              • Instruction ID: e992eff8580e826adba5db504d9b43d78021bfaa1bc9906f3f8a02517011cbbd
                              • Opcode Fuzzy Hash: 1ff5cbffb84039a93e457bd3c4ab431a9ed88b71bf2e95a914a69b56d6fe17d2
                              • Instruction Fuzzy Hash: 24F01D31A0892D8FDFA5EA4CD880BECB3B1EBA8350F0081E6904DE3151DA30AAC58F50
                              Function 00007FFB4B2A09FC Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1464619555.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b2a0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7627f3e4a15c9c1148b376ff07f3f8fb7cf8ae90d2dccc66a51a8fbd059b246
                              • Instruction ID: 16a7417ce93cabb3da7792ee6b6c981855151236cdb1791e1e451a587e9eb47b
                              • Opcode Fuzzy Hash: d7627f3e4a15c9c1148b376ff07f3f8fb7cf8ae90d2dccc66a51a8fbd059b246
                              • Instruction Fuzzy Hash: 10E06531A18A298FDB60EB28C841FEEB3B0FF88300F0040E6D45DE3251CA306A81CF52

                              Non-executed Functions

                              Function 00007FFB4B1B5529 Relevance: .2, Instructions: 204COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1463966805.00007FFB4B1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffb4b1b0000_DRAWING_SHEET_P02405912916 .jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3a5e3e85ec9c861ed47da0dc3f583f446675a8e6451f67708f441fb9320cdc47
                              • Instruction ID: e90cc491cc2c42ccf6d079dd05be81fcd19c786206e043322a1c6cdcb8640d11
                              • Opcode Fuzzy Hash: 3a5e3e85ec9c861ed47da0dc3f583f446675a8e6451f67708f441fb9320cdc47
                              • Instruction Fuzzy Hash: 8D61617091CA8D8FDBA8EF28C8557E977E1FB59300F10412ED84EC7251DB749581CB81

                              Execution Graph

                              Execution Coverage:11.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:107
                              Total number of Limit Nodes:19
                              execution_graph 24769 1420848 24771 142084e 24769->24771 24770 142091b 24771->24770 24774 1421380 24771->24774 24781 142148a 24771->24781 24775 1421396 24774->24775 24776 1421484 24775->24776 24777 142148a 3 API calls 24775->24777 24789 1427eb0 24775->24789 24794 1427d98 24775->24794 24799 1427d28 24775->24799 24776->24771 24777->24775 24783 1421396 24781->24783 24784 142148f 24781->24784 24782 1421484 24782->24771 24783->24782 24785 142148a 3 API calls 24783->24785 24786 1427eb0 3 API calls 24783->24786 24787 1427d28 3 API calls 24783->24787 24788 1427d98 3 API calls 24783->24788 24784->24771 24785->24783 24786->24783 24787->24783 24788->24783 24790 1427eba 24789->24790 24791 1427ed4 24790->24791 24804 66bfba0 24790->24804 24809 66bfb90 24790->24809 24791->24775 24795 1427dae 24794->24795 24796 1427e5f 24795->24796 24814 14286e0 24795->24814 24820 1428729 24795->24820 24796->24775 24800 1427d92 24799->24800 24801 1427e5f 24800->24801 24802 14286e0 3 API calls 24800->24802 24803 1428729 3 API calls 24800->24803 24801->24775 24802->24800 24803->24800 24806 66bfbb5 24804->24806 24805 66bfdca 24805->24791 24806->24805 24807 142dbe0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24806->24807 24808 142dbf0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24806->24808 24807->24806 24808->24806 24811 66bfbb5 24809->24811 24810 66bfdca 24810->24791 24811->24810 24812 142dbe0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24811->24812 24813 142dbf0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24811->24813 24812->24811 24813->24811 24815 14286e5 24814->24815 24816 1428f05 24815->24816 24826 142a023 24815->24826 24831 1429f80 24815->24831 24836 1429f70 24815->24836 24816->24795 24821 1428731 24820->24821 24822 1428f05 24821->24822 24823 142a023 3 API calls 24821->24823 24824 1429f70 3 API calls 24821->24824 24825 1429f80 3 API calls 24821->24825 24822->24795 24823->24821 24824->24821 24825->24821 24828 1429ff8 24826->24828 24827 142a039 24828->24827 24841 142a080 24828->24841 24847 142a070 24828->24847 24833 1429f9d 24831->24833 24832 142a039 24833->24832 24834 142a080 3 API calls 24833->24834 24835 142a070 3 API calls 24833->24835 24834->24833 24835->24833 24838 1429f80 24836->24838 24837 142a039 24838->24837 24839 142a080 3 API calls 24838->24839 24840 142a070 3 API calls 24838->24840 24839->24838 24840->24838 24842 142a09a 24841->24842 24843 142a15a 24842->24843 24853 142a2b0 24842->24853 24858 142a24d 24842->24858 24863 142a4ae 24842->24863 24848 142a080 24847->24848 24849 142a15a 24848->24849 24850 142a2b0 3 API calls 24848->24850 24851 142a4ae 3 API calls 24848->24851 24852 142a24d 3 API calls 24848->24852 24850->24848 24851->24848 24852->24848 24855 142a1b9 24853->24855 24854 142a4dd 24854->24842 24855->24854 24868 142dbe0 24855->24868 24873 142dbf0 24855->24873 24860 142a1b9 24858->24860 24859 142a4dd 24859->24842 24860->24858 24860->24859 24861 142dbe0 3 API calls 24860->24861 24862 142dbf0 3 API calls 24860->24862 24861->24860 24862->24860 24865 142a1b9 24863->24865 24864 142a4dd 24864->24842 24865->24864 24866 142dbe0 3 API calls 24865->24866 24867 142dbf0 3 API calls 24865->24867 24866->24865 24867->24865 24869 142dbf0 24868->24869 24870 142dbff 24869->24870 24878 142ec98 24869->24878 24870->24855 24874 142dc5f 24873->24874 24875 142dbff 24873->24875 24874->24875 24877 142ec98 3 API calls 24874->24877 24875->24855 24876 142e0d0 24876->24855 24877->24876 24882 142ecd0 24878->24882 24890 142ece0 24878->24890 24879 142e0d0 24879->24855 24883 142ece0 24882->24883 24884 142eced 24883->24884 24898 142e448 24883->24898 24884->24879 24887 142ed36 24887->24879 24888 142edfe GlobalMemoryStatusEx 24889 142ee2e 24888->24889 24889->24879 24891 142ed15 24890->24891 24892 142eced 24890->24892 24893 142e448 GlobalMemoryStatusEx 24891->24893 24892->24879 24895 142ed32 24893->24895 24894 142ed36 24894->24879 24895->24894 24896 142edfe GlobalMemoryStatusEx 24895->24896 24897 142ee2e 24896->24897 24897->24879 24899 142edb8 GlobalMemoryStatusEx 24898->24899 24901 142ed32 24899->24901 24901->24887 24901->24888

                              Executed Functions

                              Function 066B2378 Relevance: 1.1, Instructions: 1058COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 277daffb5bbc21cdb05608d8bad80b7fae2cc9cdede63b3ce9a53868df64f812
                              • Instruction ID: 118c5ae3853337a45966276588f27988770e016ef9d9359989bffb04b19433b6
                              • Opcode Fuzzy Hash: 277daffb5bbc21cdb05608d8bad80b7fae2cc9cdede63b3ce9a53868df64f812
                              • Instruction Fuzzy Hash: 35A21334E00204CFDBA0DB68C594BADBBF6EB45314F5594AAD409AB362DB35ED85CF80
                              Function 066B6738 Relevance: .8, Instructions: 817COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b2864aa1ea5f0e4b34534fb8e6f4f9764b609334c62c7c04f3cecb75d0ab278
                              • Instruction ID: 182ddfed182bee725db21b3208c92606651e9f3ac13a677420449de64be070de
                              • Opcode Fuzzy Hash: 6b2864aa1ea5f0e4b34534fb8e6f4f9764b609334c62c7c04f3cecb75d0ab278
                              • Instruction Fuzzy Hash: 31628D31B10204DFDB54DB68D994AADBBB2FF84310F249469E806DB391DB35ED82CB90
                              Function 066BC2D8 Relevance: .6, Instructions: 642COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1762 66bc2d8-66bc2fa 1763 66bc2fc-66bc2ff 1762->1763 1764 66bc322-66bc325 1763->1764 1765 66bc301-66bc31d 1763->1765 1766 66bc327-66bc390 1764->1766 1767 66bc395-66bc398 1764->1767 1765->1764 1766->1767 1768 66bc39a-66bc3ac 1767->1768 1769 66bc3b1-66bc3b4 1767->1769 1768->1769 1772 66bc3e1-66bc3e4 1769->1772 1773 66bc3b6-66bc3dc 1769->1773 1776 66bc3e6-66bc400 1772->1776 1777 66bc405-66bc408 1772->1777 1773->1772 1776->1777 1778 66bc40a-66bc410 1777->1778 1779 66bc415-66bc418 1777->1779 1778->1779 1783 66bc41a-66bc420 1779->1783 1784 66bc425-66bc428 1779->1784 1783->1784 1785 66bc42a-66bc44f 1784->1785 1786 66bc454-66bc457 1784->1786 1785->1786 1789 66bc459-66bc468 1786->1789 1790 66bc46f-66bc472 1786->1790 1792 66bc474-66bc475 1789->1792 1799 66bc46a 1789->1799 1791 66bc47a-66bc47d 1790->1791 1790->1792 1797 66bc48f-66bc492 1791->1797 1798 66bc47f-66bc48a 1791->1798 1792->1791 1800 66bc4bf-66bc4c2 1797->1800 1801 66bc494-66bc4ba 1797->1801 1798->1797 1799->1790 1804 66bc4da-66bc4dd 1800->1804 1805 66bc4c4-66bc4d5 1800->1805 1801->1800 1807 66bc4df-66bc502 1804->1807 1808 66bc507-66bc50a 1804->1808 1805->1804 1807->1808 1813 66bc50c-66bc50e 1808->1813 1814 66bc511-66bc514 1808->1814 1813->1814 1815 66bc516-66bc530 1814->1815 1816 66bc535-66bc538 1814->1816 1815->1816 1820 66bc53e-66bc541 1816->1820 1821 66bc5ed-66bc5f3 1816->1821 1824 66bc558-66bc55b 1820->1824 1825 66bc543-66bc546 1820->1825 1827 66bc58e-66bc594 1821->1827 1828 66bc5f5 1821->1828 1831 66bc55d-66bc560 1824->1831 1832 66bc565-66bc568 1824->1832 1829 66bc66c-66bc6a5 1825->1829 1830 66bc54c-66bc553 1825->1830 1827->1829 1834 66bc59a-66bc5a1 1827->1834 1833 66bc5fa-66bc5fd 1828->1833 1848 66bc6a7-66bc6aa 1829->1848 1830->1824 1831->1832 1836 66bc56a-66bc584 1832->1836 1837 66bc589-66bc58c 1832->1837 1839 66bc5ff-66bc601 1833->1839 1840 66bc604-66bc607 1833->1840 1835 66bc5a6-66bc5a9 1834->1835 1841 66bc5ab-66bc5ac 1835->1841 1842 66bc5b1-66bc5b4 1835->1842 1836->1837 1837->1827 1837->1835 1839->1840 1844 66bc609-66bc62e 1840->1844 1845 66bc633-66bc636 1840->1845 1841->1842 1846 66bc5b6-66bc5d0 1842->1846 1847 66bc5d5-66bc5d8 1842->1847 1844->1845 1849 66bc5da-66bc5dd 1845->1849 1850 66bc638-66bc63b 1845->1850 1846->1847 1847->1849 1855 66bc5e8-66bc5eb 1847->1855 1853 66bc6ca-66bc6cd 1848->1853 1854 66bc6ac-66bc6c5 1848->1854 1849->1825 1856 66bc5e3 1849->1856 1857 66bc64f-66bc651 1850->1857 1858 66bc63d-66bc644 1850->1858 1861 66bc6cf-66bc6e8 1853->1861 1862 66bc6f5-66bc6f8 1853->1862 1854->1853 1855->1821 1855->1833 1856->1855 1863 66bc658-66bc65b 1857->1863 1864 66bc653 1857->1864 1858->1841 1860 66bc64a 1858->1860 1860->1857 1881 66bc757-66bc763 1861->1881 1884 66bc6ea-66bc6f4 1861->1884 1865 66bc6fa-66bc704 1862->1865 1866 66bc705-66bc708 1862->1866 1863->1763 1869 66bc661-66bc66b 1863->1869 1864->1863 1870 66bc70a-66bc718 1866->1870 1871 66bc71f-66bc722 1866->1871 1870->1861 1882 66bc71a 1870->1882 1874 66bc745-66bc747 1871->1874 1875 66bc724-66bc740 1871->1875 1878 66bc749 1874->1878 1879 66bc74e-66bc751 1874->1879 1875->1874 1878->1879 1879->1848 1879->1881 1885 66bc769-66bc772 1881->1885 1886 66bc903-66bc90d 1881->1886 1882->1871 1887 66bc778-66bc798 1885->1887 1888 66bc90e-66bc946 1885->1888 1896 66bc79e-66bc7a7 1887->1896 1897 66bc8f1-66bc8fd 1887->1897 1892 66bc948-66bc94b 1888->1892 1894 66bc951-66bc95f 1892->1894 1895 66bcb07-66bcb0a 1892->1895 1901 66bc966-66bc968 1894->1901 1898 66bcb2d-66bcb2f 1895->1898 1899 66bcb0c-66bcb28 1895->1899 1896->1888 1900 66bc7ad-66bc7dc call 66b66e8 1896->1900 1897->1885 1897->1886 1902 66bcb31 1898->1902 1903 66bcb36-66bcb39 1898->1903 1899->1898 1919 66bc81e-66bc834 1900->1919 1920 66bc7de-66bc816 1900->1920 1906 66bc96a-66bc96d 1901->1906 1907 66bc97f-66bc9a9 1901->1907 1902->1903 1903->1892 1904 66bcb3f-66bcb48 1903->1904 1906->1904 1914 66bc9af-66bc9b8 1907->1914 1915 66bcafc-66bcb06 1907->1915 1917 66bc9be-66bcacd call 66b66e8 1914->1917 1918 66bcad5-66bcafa 1914->1918 1917->1914 1969 66bcad3 1917->1969 1918->1904 1925 66bc852-66bc868 1919->1925 1926 66bc836-66bc84a 1919->1926 1920->1919 1932 66bc86a-66bc87e 1925->1932 1933 66bc886-66bc899 1925->1933 1926->1925 1932->1933 1941 66bc89b-66bc8a5 1933->1941 1942 66bc8a7 1933->1942 1943 66bc8ac-66bc8ae 1941->1943 1942->1943 1945 66bc8df-66bc8eb 1943->1945 1946 66bc8b0-66bc8b5 1943->1946 1945->1896 1945->1897 1947 66bc8c3 1946->1947 1948 66bc8b7-66bc8c1 1946->1948 1950 66bc8c8-66bc8ca 1947->1950 1948->1950 1950->1945 1952 66bc8cc-66bc8d8 1950->1952 1952->1945 1969->1915
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be31194a4158e9fb7e747a492b0e3faf20bd6bc15ccae5e7f090afa8ccfd5014
                              • Instruction ID: 8f8a8fe4a2b07380aec925db081a02eb911e82fb320a6d55be0beab29c1ff856
                              • Opcode Fuzzy Hash: be31194a4158e9fb7e747a492b0e3faf20bd6bc15ccae5e7f090afa8ccfd5014
                              • Instruction Fuzzy Hash: B1326F35B10209DFDB54DB68D890BAEBBB2FB88310F209529E505EB355DB31ED81CB91
                              Function 066BB380 Relevance: .6, Instructions: 570COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e03173c0c7e8b0046f4b87ab37b6db7a8981c600c3ab56432ba0b4a64fe0c11
                              • Instruction ID: e3e277fe25df1ab2fab47731e2eed30999f04eccfff45acf227c60d355c24012
                              • Opcode Fuzzy Hash: 6e03173c0c7e8b0046f4b87ab37b6db7a8981c600c3ab56432ba0b4a64fe0c11
                              • Instruction Fuzzy Hash: 46226E70E10209CBEFA4DB68D8907EEB7B6EB89310F649426E405DB395DE35DC818B51
                              Function 066B31B8 Relevance: .5, Instructions: 545COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2696 66b31b8-66b31d9 2697 66b31db-66b31de 2696->2697 2698 66b31e0-66b31ff 2697->2698 2699 66b3204-66b3207 2697->2699 2698->2699 2700 66b39a8-66b39aa 2699->2700 2701 66b320d-66b322c 2699->2701 2703 66b39ac 2700->2703 2704 66b39b1-66b39b4 2700->2704 2709 66b322e-66b3231 2701->2709 2710 66b3245-66b324f 2701->2710 2703->2704 2704->2697 2705 66b39ba-66b39c3 2704->2705 2709->2710 2711 66b3233-66b3243 2709->2711 2713 66b3255-66b3264 2710->2713 2711->2713 2822 66b3266 call 66b39d8 2713->2822 2823 66b3266 call 66b39d0 2713->2823 2715 66b326b-66b3270 2716 66b327d-66b355a 2715->2716 2717 66b3272-66b3278 2715->2717 2738 66b399a-66b39a7 2716->2738 2739 66b3560-66b360f 2716->2739 2717->2705 2748 66b3638 2739->2748 2749 66b3611-66b3636 2739->2749 2751 66b3641-66b3654 2748->2751 2749->2751 2753 66b365a-66b367c 2751->2753 2754 66b3981-66b398d 2751->2754 2753->2754 2757 66b3682-66b368c 2753->2757 2754->2739 2755 66b3993 2754->2755 2755->2738 2757->2754 2758 66b3692-66b369d 2757->2758 2758->2754 2759 66b36a3-66b3779 2758->2759 2771 66b377b-66b377d 2759->2771 2772 66b3787-66b37b7 2759->2772 2771->2772 2776 66b37b9-66b37bb 2772->2776 2777 66b37c5-66b37d1 2772->2777 2776->2777 2778 66b37d3-66b37d7 2777->2778 2779 66b3831-66b3835 2777->2779 2778->2779 2782 66b37d9-66b3803 2778->2782 2780 66b383b-66b3877 2779->2780 2781 66b3972-66b397b 2779->2781 2792 66b3879-66b387b 2780->2792 2793 66b3885-66b3893 2780->2793 2781->2754 2781->2759 2789 66b3811-66b382e 2782->2789 2790 66b3805-66b3807 2782->2790 2789->2779 2790->2789 2792->2793 2796 66b38aa-66b38b5 2793->2796 2797 66b3895-66b38a0 2793->2797 2801 66b38cd-66b38de 2796->2801 2802 66b38b7-66b38bd 2796->2802 2797->2796 2800 66b38a2 2797->2800 2800->2796 2806 66b38e0-66b38e6 2801->2806 2807 66b38f6-66b3902 2801->2807 2803 66b38bf 2802->2803 2804 66b38c1-66b38c3 2802->2804 2803->2801 2804->2801 2808 66b38ea-66b38ec 2806->2808 2809 66b38e8 2806->2809 2811 66b391a-66b396b 2807->2811 2812 66b3904-66b390a 2807->2812 2808->2807 2809->2807 2811->2781 2813 66b390e-66b3910 2812->2813 2814 66b390c 2812->2814 2813->2811 2814->2811 2822->2715 2823->2715
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dab40307d29adb2a14c609dccde8a13686459ae257520d4145d69272b768ca55
                              • Instruction ID: 122174810871d6b93f69c4fb0972e6094c37bbf5be314fd2763ca21047a72740
                              • Opcode Fuzzy Hash: dab40307d29adb2a14c609dccde8a13686459ae257520d4145d69272b768ca55
                              • Instruction Fuzzy Hash: D9321D31E1061ACFDB14EB75C85069DB7B2FFD9300F60D6AAD449A7364EB30A985CB90
                              Function 066B7ED0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 47d8daf9dc52849d37f33cbd2b8cecf6ed042044ad4c94fa7b0f8089e849e55d
                              • Instruction ID: a9eeefd3d49da7de1c2ec371a6283c3ce81e036211a0d227ffacaa509fd96434
                              • Opcode Fuzzy Hash: 47d8daf9dc52849d37f33cbd2b8cecf6ed042044ad4c94fa7b0f8089e849e55d
                              • Instruction Fuzzy Hash: E4028E31B10216DFDB54DF64D890AAEB7AAFF84310F249529E806DB355DB31ED82CB90
                              Function 066B572B Relevance: .5, Instructions: 471COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b827bfa8cfcc8232dc7e3f1e4fc39036adfa6e01e5b7c9b809a618cf8b281d4
                              • Instruction ID: 811c07dc62532b148bc04fb9266c1cf50b8e1ea1c1e7564c7aa6eee9ce3d5274
                              • Opcode Fuzzy Hash: 0b827bfa8cfcc8232dc7e3f1e4fc39036adfa6e01e5b7c9b809a618cf8b281d4
                              • Instruction Fuzzy Hash: 24F1E371E10215DFDB60DF64C8806EEBBB2FF85310F24856AD846AB345DA35EC82CB91
                              Function 0142ECE0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 512 142ece0-142eceb 513 142ed15-142ed34 call 142e448 512->513 514 142eced-142ed14 512->514 519 142ed36-142ed39 513->519 520 142ed3a-142ed99 513->520 527 142ed9b-142ed9e 520->527 528 142ed9f-142ee2c GlobalMemoryStatusEx 520->528 532 142ee35-142ee5d 528->532 533 142ee2e-142ee34 528->533 533->532
                              Memory Dump Source
                              • Source File: 00000002.00000002.2623298473.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1420000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: adbdc7eb7022bee64fd3a3792ca1351dad92765e1b311a1325ee20bad1de34b9
                              • Instruction ID: ec7d36538bed3a96d3ab6b5a0283f49af7a6a9a9a251f8104f741991e03c1c1f
                              • Opcode Fuzzy Hash: adbdc7eb7022bee64fd3a3792ca1351dad92765e1b311a1325ee20bad1de34b9
                              • Instruction Fuzzy Hash: 82412571D003598FDB14DFAAD8046EEBBF5EF89210F15866BD508A7350DB749885CBE0
                              Function 0142E448 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 536 142e448-142ee2c GlobalMemoryStatusEx 539 142ee35-142ee5d 536->539 540 142ee2e-142ee34 536->540 540->539
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0142ED32), ref: 0142EE1F
                              Memory Dump Source
                              • Source File: 00000002.00000002.2623298473.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1420000_MSBuild.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: 8c97c254b1c547a5dce2dbda2392aa33ecfae8b80d0fb57b732529e539c75e5d
                              • Instruction ID: 1db4266b8992bd60aefd4e0933ac45ee21a0d1900de411a162e92ed7660c7ff9
                              • Opcode Fuzzy Hash: 8c97c254b1c547a5dce2dbda2392aa33ecfae8b80d0fb57b732529e539c75e5d
                              • Instruction Fuzzy Hash: 8A1114B1C0065A9BDB10DF9AC4447DEFBF4AF48620F10812AE918B7350D778A945CFE1
                              Function 0142EDB0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 543 142edb0-142edf6 545 142edfe-142ee2c GlobalMemoryStatusEx 543->545 546 142ee35-142ee5d 545->546 547 142ee2e-142ee34 545->547 547->546
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0142ED32), ref: 0142EE1F
                              Memory Dump Source
                              • Source File: 00000002.00000002.2623298473.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1420000_MSBuild.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: caf0b459ed78afb02d1692f557346eb5584dc0631d75e9f0a2a886b18e459f2a
                              • Instruction ID: e1ade91b33a88bda37af85be3e2c67e37b37842b5eb2770bfaf7c298fe1e7bbf
                              • Opcode Fuzzy Hash: caf0b459ed78afb02d1692f557346eb5584dc0631d75e9f0a2a886b18e459f2a
                              • Instruction Fuzzy Hash: C31103B1C0065A9BDB14DF9AC844BDEFBF4AB48620F11812AE818B7350D778A945CFA5
                              Function 066BFF58 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 762 66bff58-66bff60 763 66bff62-66bff8b 762->763 764 66bff17-66bff2b 762->764 772 66bff91-66bffa2 763->772 766 66bff2d-66bff30 764->766 767 66bff31-66bff3d 764->767 766->767 769 66bff3f-66bff51 767->769 770 66bff52-66bff56 767->770 775 66bffcd-66bffd0 772->775 776 66bffa4-66bffc6 772->776 776->775
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: i
                              • API String ID: 0-3865851505
                              • Opcode ID: c0cf1c2c4e90d9cca6572972323f8b1a0fa499ae32c4fe8e0e9109be75442187
                              • Instruction ID: 8ca27083a003c28d40d3809ed2277044d1ec8452bff539983407aef81322a511
                              • Opcode Fuzzy Hash: c0cf1c2c4e90d9cca6572972323f8b1a0fa499ae32c4fe8e0e9109be75442187
                              • Instruction Fuzzy Hash: AA110835B043568FD790EF7CD84029EBBE5AB82201F1045BDD949C7796E734D842CB92
                              Function 066BD0A0 Relevance: .8, Instructions: 802COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1501 66bd0a0-66bd0bb 1502 66bd0bd-66bd0c0 1501->1502 1503 66bd109-66bd10c 1502->1503 1504 66bd0c2-66bd104 1502->1504 1505 66bd11b-66bd11e 1503->1505 1506 66bd10e-66bd110 1503->1506 1504->1503 1507 66bd141-66bd144 1505->1507 1508 66bd120-66bd13c 1505->1508 1510 66bd447-66bd450 1506->1510 1511 66bd116 1506->1511 1512 66bd14a-66bd14d 1507->1512 1513 66bd58c-66bd598 1507->1513 1508->1507 1514 66bd45f-66bd46b 1510->1514 1515 66bd452-66bd457 1510->1515 1511->1505 1518 66bd14f-66bd154 1512->1518 1519 66bd157-66bd15a 1512->1519 1522 66bd3ee-66bd3fd 1513->1522 1523 66bd59e-66bd88b 1513->1523 1520 66bd57c-66bd581 1514->1520 1521 66bd471-66bd485 1514->1521 1515->1514 1518->1519 1526 66bd15c-66bd19e 1519->1526 1527 66bd1a3-66bd1a6 1519->1527 1538 66bd589 1520->1538 1537 66bd48b-66bd49d 1521->1537 1521->1538 1524 66bd3ff-66bd404 1522->1524 1525 66bd40c-66bd418 1522->1525 1714 66bdab2-66bdabc 1523->1714 1715 66bd891-66bd897 1523->1715 1524->1525 1529 66bd41e-66bd430 1525->1529 1530 66bdabd-66bdaf6 1525->1530 1526->1527 1532 66bd1a8-66bd1aa 1527->1532 1533 66bd1b5-66bd1b8 1527->1533 1552 66bd435-66bd437 1529->1552 1554 66bdaf8-66bdafb 1530->1554 1532->1538 1539 66bd1b0 1532->1539 1540 66bd1ba-66bd1fc 1533->1540 1541 66bd201-66bd204 1533->1541 1556 66bd49f-66bd4a5 1537->1556 1557 66bd4c1-66bd4c3 1537->1557 1538->1513 1539->1533 1540->1541 1545 66bd24d-66bd250 1541->1545 1546 66bd206-66bd248 1541->1546 1549 66bd26d-66bd270 1545->1549 1550 66bd252-66bd268 1545->1550 1546->1545 1559 66bd2b9-66bd2bc 1549->1559 1560 66bd272-66bd2b4 1549->1560 1550->1549 1561 66bd439 1552->1561 1562 66bd43e-66bd441 1552->1562 1565 66bdb1e-66bdb21 1554->1565 1566 66bdafd-66bdb19 1554->1566 1574 66bd4a9-66bd4b5 1556->1574 1575 66bd4a7 1556->1575 1583 66bd4cd-66bd4d9 1557->1583 1572 66bd2be-66bd300 1559->1572 1573 66bd305-66bd308 1559->1573 1560->1559 1561->1562 1562->1502 1562->1510 1569 66bdb23 call 66bdc15 1565->1569 1570 66bdb30-66bdb33 1565->1570 1566->1565 1590 66bdb29-66bdb2b 1569->1590 1578 66bdb66-66bdb68 1570->1578 1579 66bdb35-66bdb61 1570->1579 1572->1573 1584 66bd30a-66bd319 1573->1584 1585 66bd351-66bd354 1573->1585 1581 66bd4b7-66bd4bf 1574->1581 1575->1581 1593 66bdb6a 1578->1593 1594 66bdb6f-66bdb72 1578->1594 1579->1578 1581->1583 1608 66bd4db-66bd4e5 1583->1608 1609 66bd4e7 1583->1609 1586 66bd31b-66bd320 1584->1586 1587 66bd328-66bd334 1584->1587 1591 66bd39d-66bd3a0 1585->1591 1592 66bd356-66bd398 1585->1592 1586->1587 1587->1530 1598 66bd33a-66bd34c 1587->1598 1590->1570 1603 66bd3e9-66bd3ec 1591->1603 1604 66bd3a2-66bd3e4 1591->1604 1592->1591 1593->1594 1594->1554 1602 66bdb74-66bdb83 1594->1602 1598->1585 1623 66bdbea-66bdbff 1602->1623 1624 66bdb85-66bdbe8 call 66b66e8 1602->1624 1603->1522 1603->1552 1604->1603 1614 66bd4ec-66bd4ee 1608->1614 1609->1614 1614->1538 1621 66bd4f4-66bd510 call 66b66e8 1614->1621 1646 66bd51f-66bd52b 1621->1646 1647 66bd512-66bd517 1621->1647 1636 66bdc00 1623->1636 1624->1623 1636->1636 1646->1520 1650 66bd52d-66bd57a 1646->1650 1647->1646 1650->1538 1716 66bd899-66bd89e 1715->1716 1717 66bd8a6-66bd8af 1715->1717 1716->1717 1717->1530 1718 66bd8b5-66bd8c8 1717->1718 1720 66bd8ce-66bd8d4 1718->1720 1721 66bdaa2-66bdaac 1718->1721 1722 66bd8e3-66bd8ec 1720->1722 1723 66bd8d6-66bd8db 1720->1723 1721->1714 1721->1715 1722->1530 1724 66bd8f2-66bd913 1722->1724 1723->1722 1727 66bd922-66bd92b 1724->1727 1728 66bd915-66bd91a 1724->1728 1727->1530 1729 66bd931-66bd94e 1727->1729 1728->1727 1729->1721 1732 66bd954-66bd95a 1729->1732 1732->1530 1733 66bd960-66bd979 1732->1733 1735 66bd97f-66bd9a6 1733->1735 1736 66bda95-66bda9c 1733->1736 1735->1530 1739 66bd9ac-66bd9b6 1735->1739 1736->1721 1736->1732 1739->1530 1740 66bd9bc-66bd9d3 1739->1740 1742 66bd9e2-66bd9fd 1740->1742 1743 66bd9d5-66bd9e0 1740->1743 1742->1736 1748 66bda03-66bda1c call 66b66e8 1742->1748 1743->1742 1752 66bda2b-66bda34 1748->1752 1753 66bda1e-66bda23 1748->1753 1752->1530 1754 66bda3a-66bda8e 1752->1754 1753->1752 1754->1736
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2439e942794eb79809dd6a718557bd2d186251ca37991e35e76d23d2479514bf
                              • Instruction ID: 14329499fc808b11f6f41be702085ba2b2c3b1cb4ef8fe08519efeaf7898edf1
                              • Opcode Fuzzy Hash: 2439e942794eb79809dd6a718557bd2d186251ca37991e35e76d23d2479514bf
                              • Instruction Fuzzy Hash: AB623B30A0031ACFDB55EB68D990A9DB7B2FF84304F209A29D4059F359DB75ED86CB81
                              Function 066BB7A8 Relevance: .5, Instructions: 470COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 74c60f9fe6149dab409f1b12a5d6382dee51ba9613348738434226b97278a927
                              • Instruction ID: 0232a0dac3f6b9752e6ea57defe90726cf4b7cbbb6f7b8f38811c50aae48de7d
                              • Opcode Fuzzy Hash: 74c60f9fe6149dab409f1b12a5d6382dee51ba9613348738434226b97278a927
                              • Instruction Fuzzy Hash: 8E023930E10209CFDBA4DF68D8806ADB7B2FB85310F24956AE406DB355DF35E982CB91
                              Function 066BAE28 Relevance: .4, Instructions: 395COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a102bda32d26817c171d1b7502f68a3e5da564cedb5093cd05a0e118a07eb08
                              • Instruction ID: ef256a1bb2aba69f209a2f74801e181eb7666c1620776ea479f912a83d2d3f02
                              • Opcode Fuzzy Hash: 6a102bda32d26817c171d1b7502f68a3e5da564cedb5093cd05a0e118a07eb08
                              • Instruction Fuzzy Hash: 5DE16E30E10319CFDB65DBA9D8906AEB7B2FF85310F20952AE9059B354DF319C86CB91
                              Function 066B5A28 Relevance: .3, Instructions: 322COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7ff77e48112ebe16dc7b48ecef3fe6e1db3ead37ef73530e367524f07152570
                              • Instruction ID: f049eb747019c215760388203b42ca9edeabaaa9451b84392a2903e7cd50fdda
                              • Opcode Fuzzy Hash: c7ff77e48112ebe16dc7b48ecef3fe6e1db3ead37ef73530e367524f07152570
                              • Instruction Fuzzy Hash: EFB1A071F00215DBDB14EFA4D884AEE77B6EF88310F209529E902AB354DB35ED46CB90
                              Function 066B92A8 Relevance: .2, Instructions: 231COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a44bd5a77641cf77caa8d3983aeb7a4365c686cdd30835258184a5f80fc6e5eb
                              • Instruction ID: ff1841b19a593e2c21d9aa204eca9c3eb075871c64c8102e6fde85e0eece1652
                              • Opcode Fuzzy Hash: a44bd5a77641cf77caa8d3983aeb7a4365c686cdd30835258184a5f80fc6e5eb
                              • Instruction Fuzzy Hash: 5C914F30B1021ACFDB95DB68D850BAEB7B6AF85300F108569D909DB344EE31ED858B91
                              Function 066B6338 Relevance: .2, Instructions: 229COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 726ff03d90adc09eb844571e4791b85b9f5570dcef8c97c48d2cafb1b8ff2a23
                              • Instruction ID: 0035bbc1e20c0e128a65762a3e9a9ace48bde7fccb12ad9a11c4059d5b598198
                              • Opcode Fuzzy Hash: 726ff03d90adc09eb844571e4791b85b9f5570dcef8c97c48d2cafb1b8ff2a23
                              • Instruction Fuzzy Hash: 6E61C772F001218BDF50AB7DC88099EBAD7EFC4610B15543AD80ADB3A4DE65ED4287D5
                              Function 066B43F9 Relevance: .2, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f2c0d2cb5b6dbca05d34cb1d5bbe7542527297182f4093fc20822de78bb0e04
                              • Instruction ID: 2ad11c0c97dbcece15c4b643b41d43bec40edc69d7925e285a770d6afecc31fa
                              • Opcode Fuzzy Hash: 0f2c0d2cb5b6dbca05d34cb1d5bbe7542527297182f4093fc20822de78bb0e04
                              • Instruction Fuzzy Hash: 3E814E31B11209CFDF54DFA9D4506AEBBF6AF89300F109529D80ADB359DE31EC828B91
                              Function 066B4718 Relevance: .2, Instructions: 225COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b1f541843772fe158fb47818ad0bc46de8644ff651bbf231f2053cbdd423262
                              • Instruction ID: 237a26dfb9414f53e09a8042bff4bb89beb154cf72ee3c70e1718b6209be9a7a
                              • Opcode Fuzzy Hash: 0b1f541843772fe158fb47818ad0bc46de8644ff651bbf231f2053cbdd423262
                              • Instruction Fuzzy Hash: 50914D30E00219CBDB60DF64C880BDDB7B1FF89310F20869AD549AB355DB71AA85CF91
                              Function 066B4730 Relevance: .2, Instructions: 210COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7de53d2e2b4a0b074c77a5264523951c0cd30ff27eedb2e53a25cc0aaae2d659
                              • Instruction ID: fbb49e49d3b525f7490684a7805a51f05940456e5ebb990f610d20124f3ebf54
                              • Opcode Fuzzy Hash: 7de53d2e2b4a0b074c77a5264523951c0cd30ff27eedb2e53a25cc0aaae2d659
                              • Instruction Fuzzy Hash: A6911A30E10619CBDF60DF68C880B9DB7B1FF89310F208699D549AB355DB71AA85CF90
                              Function 066BEC70 Relevance: .2, Instructions: 202COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5a40c4569ad855a85aee983a1946d2faab8f20c3fc7b4357f7b1c7e02ab29ac8
                              • Instruction ID: e997c25e79a890a1ee1da3ecd6be6c93eceaa3cb7714891061355696216576df
                              • Opcode Fuzzy Hash: 5a40c4569ad855a85aee983a1946d2faab8f20c3fc7b4357f7b1c7e02ab29ac8
                              • Instruction Fuzzy Hash: 97712A31A00249DFDB54DBA9C980AEDBBF6FF88300F249529E415AB355DB31E986CB50
                              Function 066BEC80 Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 600ac69256fc4ec3316f01ee68473afe6cdaaf034371d7da79c0feadc6cae18c
                              • Instruction ID: a7b4b71bc4eaf177c84e9ffb3479101e78b41d3ec2f624364a572c7da423d16b
                              • Opcode Fuzzy Hash: 600ac69256fc4ec3316f01ee68473afe6cdaaf034371d7da79c0feadc6cae18c
                              • Instruction Fuzzy Hash: 3B712730E00249DFDB54DBA9C980AEDBBF6FF88340F249529E415AB355DB31E986CB40
                              Function 066B4CC8 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d19119571d9551efdb1ca58417fca561c0263b25a5f9fea2385851020b4efeb
                              • Instruction ID: d5584a8cdb931a328239e4b824578db898a0c8309ccd1c48d180276ffdb1d0a3
                              • Opcode Fuzzy Hash: 0d19119571d9551efdb1ca58417fca561c0263b25a5f9fea2385851020b4efeb
                              • Instruction Fuzzy Hash: B1617C70F00218DFEB549BA5C854BAEBBF6FF88700F20842AE506AB395DF754C458B91
                              Function 066BFB90 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 55832651690d39bc175cf149a8be4efd47e2194f55320499446652cef702aeaa
                              • Instruction ID: 0b79559a2ba4cd1f29ba0a4e8525239e1df7000f3f0d069a374c36fdd3d9a6be
                              • Opcode Fuzzy Hash: 55832651690d39bc175cf149a8be4efd47e2194f55320499446652cef702aeaa
                              • Instruction Fuzzy Hash: 2B51F330B10214CBEF606668DCA47AF669AD7D9711F20442AE90BC73A5CF79CC8193A2
                              Function 066B9298 Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f523e7074f28883f5d3cfee6b2e866885ff60a4a5498644a99c52115cc1e0c9
                              • Instruction ID: f178ebeb159dfebc05611f81ec85bed4143781f8dba30c8c1284f2333d1017cf
                              • Opcode Fuzzy Hash: 0f523e7074f28883f5d3cfee6b2e866885ff60a4a5498644a99c52115cc1e0c9
                              • Instruction Fuzzy Hash: F9514031B10116CFDB95DB68D890BAEB7F6BF85700F108569D90ADB384EA31ED428B91
                              Function 066BFBA0 Relevance: .2, Instructions: 163COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 166ec985200480f89a4b4cca0a9339f4bcd9e27c61adad73244c17208d6fe2a6
                              • Instruction ID: 7fd1de39004bb746b7f36a8f7f04f208befa8c09ce5640302828e9f6597f7795
                              • Opcode Fuzzy Hash: 166ec985200480f89a4b4cca0a9339f4bcd9e27c61adad73244c17208d6fe2a6
                              • Instruction Fuzzy Hash: B951C030B10215CBEF60666CDC647AF769AE7D9711F60442AE90BC33A4CF79CC8153A2
                              Function 066B4CB8 Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c29321a0865a1849a2e815d1b9fb2fdef629f3590008b102364902bc46a20e72
                              • Instruction ID: c2d15ffbae210f3abd70416099baa97a76c510e7068f122d8aaae57d6832160a
                              • Opcode Fuzzy Hash: c29321a0865a1849a2e815d1b9fb2fdef629f3590008b102364902bc46a20e72
                              • Instruction Fuzzy Hash: 2F51A070F002089FDB549FA5C814BAEBBF6FFC8700F20852AE505AB395DE759C458B91
                              Function 066B5571 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c8786cc38747a9129b2e6c30d03947bb9341eefc987366acf9426c184b4972a
                              • Instruction ID: aeddbd432471e77933f8df7d13756d0884aaafbdef5af7a456251214a85a1331
                              • Opcode Fuzzy Hash: 5c8786cc38747a9129b2e6c30d03947bb9341eefc987366acf9426c184b4972a
                              • Instruction Fuzzy Hash: 6B415E72E00609CFDF60CF99D881AEEF7B6EB84310F10492AE156D7650D734E9958B91
                              Function 066BDC15 Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 877c0e26268acfff277fc1e636eb325cb59c94ad636bf10512847d57603e4104
                              • Instruction ID: 7f923dac717a6499ab0802cc588d5a635f643ea6cc631b46d46981d6c0ae5410
                              • Opcode Fuzzy Hash: 877c0e26268acfff277fc1e636eb325cb59c94ad636bf10512847d57603e4104
                              • Instruction Fuzzy Hash: B741B070E00349DFDB65DF65D4846AEBBB6BF85700F20882AE801EF344DB709886CB81
                              Function 066B21ED Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e1f21af6036a0dab33e1aac2265ba493bf1d482f6f16d87e80c1800592fbce9
                              • Instruction ID: 2384ca2cb4c27831e0bf15ce57646b4d76d674c16ddc287c6b9599a3d7125f46
                              • Opcode Fuzzy Hash: 0e1f21af6036a0dab33e1aac2265ba493bf1d482f6f16d87e80c1800592fbce9
                              • Instruction Fuzzy Hash: E831F030B10205CFDB69AB74C4646BE7BE6AF89710F245469D802DB395DF35CE82CB91
                              Function 066B2200 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac0d74021448af84d94d2643547eabb80e7741f35a81db049d390de3e8859d5a
                              • Instruction ID: b918809f577d3ce8c3f42f62ccbf9d14375219aa2148ef35784705400dfa0814
                              • Opcode Fuzzy Hash: ac0d74021448af84d94d2643547eabb80e7741f35a81db049d390de3e8859d5a
                              • Instruction Fuzzy Hash: 7231B030B10209CFDB68AB74C4646BE7BE6AF89710F249468D806DB395DF35DE82C791
                              Function 066BDAC8 Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9dd48321e3db4019d9019518499d23a2d044f694008a8e4b81d39d2d9d42778
                              • Instruction ID: 0b78c113349f842b6d4333fd2e74652f28ab3d0fc435c13ce4670ee5c3af2460
                              • Opcode Fuzzy Hash: b9dd48321e3db4019d9019518499d23a2d044f694008a8e4b81d39d2d9d42778
                              • Instruction Fuzzy Hash: 67319270E1031ADBDF24DF64C890ADEBBB6FF85304F109529E805EB304DB71A9868B91
                              Function 066B20B0 Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 263ec8166001fbfd327a7f6f157a3ffd14ecd5dd7510b139247745ca05dd5448
                              • Instruction ID: e212b9b546823350827ab58e56e83e3d21a816496d8caf84b0320abbbf079912
                              • Opcode Fuzzy Hash: 263ec8166001fbfd327a7f6f157a3ffd14ecd5dd7510b139247745ca05dd5448
                              • Instruction Fuzzy Hash: 1D31A134E10609DFCB55CF64C864AAEB7F6BF89300F148519EA16EB390DB71AD82CB51
                              Function 066B20C0 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60885b462b432778caaf8b34fa04cd89acc421eb2e41d33b8a8d0144816b9977
                              • Instruction ID: c3e8833c3e77f04661fc13d28053f21c41666444384749d6e93e87742d634d0c
                              • Opcode Fuzzy Hash: 60885b462b432778caaf8b34fa04cd89acc421eb2e41d33b8a8d0144816b9977
                              • Instruction Fuzzy Hash: 9B317031E10609DFCB55CF64C864AAEB7F6BF89300F148529EA06EB350DB71AD82CB51
                              Function 066BFDE1 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9016c4e38d9a4ffadd7b1a95bb591b81a1c6dae433f4a4a30a6e1b79f1ed868
                              • Instruction ID: 0cf264914cdc020585e8e71217ae8d344b779e41875a1106a069955d02d341dd
                              • Opcode Fuzzy Hash: f9016c4e38d9a4ffadd7b1a95bb591b81a1c6dae433f4a4a30a6e1b79f1ed868
                              • Instruction Fuzzy Hash: FD21A035A11292EFDBA0EF25E9406BE77EAAB64604F005014C908C7319EB35D997CBD1
                              Function 066B3BF9 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd697451bf72762d741ccec404850db4459e5898f23034153ee86d381be92e07
                              • Instruction ID: f8cdf26f8d58b7c4d8a4f005044aaacc263411d2c935f97f61b24264563c4912
                              • Opcode Fuzzy Hash: bd697451bf72762d741ccec404850db4459e5898f23034153ee86d381be92e07
                              • Instruction Fuzzy Hash: 21217C75F11215DFDB50EFB9E880AEEBBF5AB88310F108025E905E7344E735D9818B90
                              Function 066B3C08 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a76da248ed28c43d6e9aae72ed22858a0aaab08d9631ea310136feda025912e8
                              • Instruction ID: e240c6704bc7d3265103cf3b24b56d94cf3c0c566f88d0ef6c3257e2ab301f29
                              • Opcode Fuzzy Hash: a76da248ed28c43d6e9aae72ed22858a0aaab08d9631ea310136feda025912e8
                              • Instruction Fuzzy Hash: 64217C75F11215DFDB50EFA9E880AEEBBF1AB88310F208029E905E7350E735E8418B90
                              Function 066BFDF0 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a15d2199da9825bd794a6edc9643bb31bdc8b6877486e601cc7b82b2f1298d80
                              • Instruction ID: 71f7d6b193513ae69e84e7cf86adb74fcda96c46ececc64f2a3cbe1ca80f7fcd
                              • Opcode Fuzzy Hash: a15d2199da9825bd794a6edc9643bb31bdc8b6877486e601cc7b82b2f1298d80
                              • Instruction Fuzzy Hash: 82217131A10252EFDBA0EF25D9506BE77E6AB64744F005124CD08C7359EB36D997CBC0
                              Function 013DD044 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2622812673.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_13dd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a837a047cbfcfb100101be4e2230aa42d3dd2e0bdcf64a7562a6930c5b785d43
                              • Instruction ID: b334b7870fdd36a19850c2cfa9546a25f68f9c89c9879fe63ea57215341f7350
                              • Opcode Fuzzy Hash: a837a047cbfcfb100101be4e2230aa42d3dd2e0bdcf64a7562a6930c5b785d43
                              • Instruction Fuzzy Hash: 8B2122B2604308AFDB11DF64E8C4B26BB65FBC4318F20C56DE9490B782C73AD446CA62
                              Function 066B6E68 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ed7199022ae5987c78db5284f92fdf2995535ef75a12595f404de56f49bb7ef
                              • Instruction ID: f03ddc0645d56008a5d7ce6d55cb6993fcdccd842e35637423ab24783cf8c067
                              • Opcode Fuzzy Hash: 6ed7199022ae5987c78db5284f92fdf2995535ef75a12595f404de56f49bb7ef
                              • Instruction Fuzzy Hash: 8E216031B11118DBDF94DA68E9646EEBBB6FFC4310F149425E805D7344DB31ED828B94
                              Function 066B4358 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7cd232053841c032e9148c180ec0b5b1702e34b6b5d95fe872b8a9bc0d772562
                              • Instruction ID: 90480a498de9f3ba7cd017a963eb2650b81b4b02894bcd05c4558b114c9f19f5
                              • Opcode Fuzzy Hash: 7cd232053841c032e9148c180ec0b5b1702e34b6b5d95fe872b8a9bc0d772562
                              • Instruction Fuzzy Hash: C3112230B052108FDB61967EC850B6EBBDADBC6610F14842AF10ECB346DD12DC4283A1
                              Function 066B3D18 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17940561bde89c07c45321170a4f052e1112043b35f1f1ad823bc77c699483ba
                              • Instruction ID: b2dece0dea4fc424c05cfa657336730ce32887551b9110a42e266dbcbaca4e4f
                              • Opcode Fuzzy Hash: 17940561bde89c07c45321170a4f052e1112043b35f1f1ad823bc77c699483ba
                              • Instruction Fuzzy Hash: BF11A132B111288FDB949A68E8106EE77AAEBC8310F104539D506E7344DE65DD028BD1
                              Function 066B39D0 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35a637bd07b3aa2562bdd119b8fe4fbee1a0c116e58983dd43e1c1c77fa9e558
                              • Instruction ID: 866c532476db83e84758642d79c05f09198776e576ea540927dcc8cc95189eeb
                              • Opcode Fuzzy Hash: 35a637bd07b3aa2562bdd119b8fe4fbee1a0c116e58983dd43e1c1c77fa9e558
                              • Instruction Fuzzy Hash: F821E4B5D01619AFCB00DF9AD884ACEFBB4FB48720F108229E918B3350C7746554CFA5
                              Function 066BA460 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7a5a776db70839f131500784aebbaa3c28a91a735d2bf9e782fb7156deaf1a3
                              • Instruction ID: aba1532c0840262bef6f745e2937e95d3f9e3945a0dc16069f4a501587bf7e5a
                              • Opcode Fuzzy Hash: a7a5a776db70839f131500784aebbaa3c28a91a735d2bf9e782fb7156deaf1a3
                              • Instruction Fuzzy Hash: 0E012D30B112104FDB61EB7CD814B5B77D5EB86714F10442EF10ACB351EE21DC818341
                              Function 013DD03F Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2622812673.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_13dd000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                              • Instruction ID: 251c5e78370669aef5792a9884ab9edd81ac0e83eac00592226ddad9c6a164db
                              • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                              • Instruction Fuzzy Hash: 2411BB76504284CFCB12CF64D9C4B15BBA2FB84328F24C6A9D8494B292C33AD44ACF62
                              Function 066BEEF1 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 201780d438484e8d0892e5644b36907189687aec3fbb03275c2f933f9926a5cf
                              • Instruction ID: fef958a8fcaa7e70bccc52a99c0d8a9188f64813e5fce0b6c4f848a46c7e930f
                              • Opcode Fuzzy Hash: 201780d438484e8d0892e5644b36907189687aec3fbb03275c2f933f9926a5cf
                              • Instruction Fuzzy Hash: 1B01F730B115108FDB619A3CE454BAF77EADBC6754F10842AF50EC7346DA22DC424381
                              Function 066B3D07 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b5865db27977edc9cc2a1a33413ee37d3ec5b1a088fceb0dbebfddc603ee54b
                              • Instruction ID: b9342ae64a365961fa8a38e5facbe9e30af524447f5017fb103643e7d3dd4cee
                              • Opcode Fuzzy Hash: 2b5865db27977edc9cc2a1a33413ee37d3ec5b1a088fceb0dbebfddc603ee54b
                              • Instruction Fuzzy Hash: B501F732B211698BDB949679EC106EF7AEBEBC8310F54453ED506E3340EE619D0247E1
                              Function 066B39D8 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3246ce26431625b84cfb29d5f9591bef6c74b5142c1580309a1e26d06fc1c3dc
                              • Instruction ID: 2e385331805187d98fdb24a3b2fe7cc2c6098de251ff6f3c0f0c9627644dcd90
                              • Opcode Fuzzy Hash: 3246ce26431625b84cfb29d5f9591bef6c74b5142c1580309a1e26d06fc1c3dc
                              • Instruction Fuzzy Hash: 0311AFB5D01259AFCB10DF9AD884ADEFBB8FB48714F10812AE918A7350C374A954CFA5
                              Function 066B4368 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26c334543a484c3601a06e5e8fa7c31b14616c97e6be45e28dbf1be039372afb
                              • Instruction ID: bc71bd6027609ec839e6655c3c514bd37bf41c08b3c644f873ce3a018ca9bb87
                              • Opcode Fuzzy Hash: 26c334543a484c3601a06e5e8fa7c31b14616c97e6be45e28dbf1be039372afb
                              • Instruction Fuzzy Hash: 5201AD31B101118BDBA0956ED454B6FB2DADBCA720F14843AF50EC734ADE62DC424391
                              Function 066BEF00 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f2035440f87e56f115f9f2583b64d464a20a8bf6d68d081cf9a4a4f97900573
                              • Instruction ID: 00d428307b270efa27ccf53611d18db50d88c47c0036822d4b947401a7709281
                              • Opcode Fuzzy Hash: 7f2035440f87e56f115f9f2583b64d464a20a8bf6d68d081cf9a4a4f97900573
                              • Instruction Fuzzy Hash: 1201AF31B105108BDBA5992CE854BAF73DBDBCABA0F10883AF60EC7341DE26DC424381
                              Function 066BA470 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e8a1bc5a2645d7360fc05444c91ec61f2675749ab66de04506c83f123a941b9
                              • Instruction ID: 77798f3a852dcd06f64991e49bd540de0c7be98548b488bf352a286fef73a54a
                              • Opcode Fuzzy Hash: 2e8a1bc5a2645d7360fc05444c91ec61f2675749ab66de04506c83f123a941b9
                              • Instruction Fuzzy Hash: FD014431B211148FDB65EAACD858B6B73D6EB85724F108829F60ECB355EE21EC818781
                              Function 066B8446 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ab5ba05e7a24d9eac92d0208b9aed14ccdf768e4a9277498dc92cf39544bdff
                              • Instruction ID: a76ffd912bd5038122bb57173cde5bb3e570fe19469494b0dd532243e4610dca
                              • Opcode Fuzzy Hash: 0ab5ba05e7a24d9eac92d0208b9aed14ccdf768e4a9277498dc92cf39544bdff
                              • Instruction Fuzzy Hash: 1DF03936E10211EFEFA48E44E9805E9736CEB90365F1960AADE05CB345D632EA92C790
                              Function 066BFF68 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 32496a6292fef2fec87fe9ba89a3aec06a8b26172266ae2efc6eea54bf031f8f
                              • Instruction ID: b283f878e2cc66ab12af4332dfdb93e3764016ba6cab7cf5646f8fda5b6f1bed
                              • Opcode Fuzzy Hash: 32496a6292fef2fec87fe9ba89a3aec06a8b26172266ae2efc6eea54bf031f8f
                              • Instruction Fuzzy Hash: F8F08C78A003198FC790FFB8C81026EBBE6FB84202F508579D919D7719EB349941CB92
                              Function 066B65B8 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2630605162.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_66b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b55acb90fab7e2ee28edbc02aa1e9d2d339a484d26adb5bd5d3e25f21f89d56
                              • Instruction ID: 4efc40be35dfa5ce8665e0070501dc1fed34be5181ec78783ba676afc254c8ab
                              • Opcode Fuzzy Hash: 1b55acb90fab7e2ee28edbc02aa1e9d2d339a484d26adb5bd5d3e25f21f89d56
                              • Instruction Fuzzy Hash: AEE0D8B2E2924CFBEF50CB70C946B8A7BADD743204F5085A9D404C7342E176DA90D391