Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BqDa1EBEUK.exe

Overview

General Information

Sample name:BqDa1EBEUK.exe
renamed because original name is a hash value
Original sample name:edc0a83088582cf9cc1ed9d7414d387af4c626482d991585e028facc8da51e91.exe
Analysis ID:1465369
MD5:aa9d475bc02429a35578c7c7495391c0
SHA1:aefabfe061db6b6013e842c1ff5afb09b5686a6a
SHA256:edc0a83088582cf9cc1ed9d7414d387af4c626482d991585e028facc8da51e91
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • BqDa1EBEUK.exe (PID: 5680 cmdline: "C:\Users\user\Desktop\BqDa1EBEUK.exe" MD5: AA9D475BC02429A35578C7C7495391C0)
    • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 6444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.196.9.26:6302", "Bot Id": "\u0295J", "Authorization Header": "4c4c925477423905413bca8818103116"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2247337800.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: BqDa1EBEUK.exe PID: 5680JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.BqDa1EBEUK.exe.6ccff000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.BqDa1EBEUK.exe.6ccff000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    2.2.MSBuild.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.BqDa1EBEUK.exe.6cce0000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/01/24-15:43:58.016995
                        SID:2046045
                        Source Port:49705
                        Destination Port:6302
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/01/24-15:44:06.078345
                        SID:2043231
                        Source Port:49705
                        Destination Port:6302
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/01/24-15:43:58.383566
                        SID:2043234
                        Source Port:6302
                        Destination Port:49705
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/01/24-15:44:03.740669
                        SID:2046056
                        Source Port:6302
                        Destination Port:49705
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.196.9.26:6302", "Bot Id": "\u0295J", "Authorization Header": "4c4c925477423905413bca8818103116"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllReversingLabs: Detection: 91%
                        Multi AV Scanner detection for submitted file
                        Source: BqDa1EBEUK.exeReversingLabs: Detection: 64%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: BqDa1EBEUK.exeJoe Sandbox ML: detected
                        Source: BqDa1EBEUK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: BqDa1EBEUK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCF0A98 FindFirstFileExW,0_2_6CCF0A98
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05B4D753h2_2_05B4D490
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05B4FB58h2_2_05B4F660
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_05B48398
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05B4D247h2_2_05B4CAE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then inc dword ptr [ebp-20h]2_2_05B424F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05B4AB43h2_2_05B4AB2B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 071BFFB5h2_2_071BFBD8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 071BFFB5h2_2_071BFBE8

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49705 -> 185.196.9.26:6302
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49705 -> 185.196.9.26:6302
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.196.9.26:6302 -> 192.168.2.5:49705
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.196.9.26:6302 -> 192.168.2.5:49705
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 185.196.9.26:6302
                        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 185.196.9.26:6302
                        Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: BqDa1EBEUK.exe, BqDa1EBEUK.exe, 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2247337800.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE2790 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_6CCE2790
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE11E00_2_6CCE11E0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE27900_2_6CCE2790
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE2F700_2_6CCE2F70
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCF70450_2_6CCF7045
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCEB4500_2_6CCEB450
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE2C000_2_6CCE2C00
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE10000_2_6CCE1000
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A910B00_2_00A910B0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9E2A00_2_00A9E2A0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9B2990_2_00A9B299
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9CBEF0_2_00A9CBEF
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A98C800_2_00A98C80
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9A4F00_2_00A9A4F0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A98E100_2_00A98E10
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9B0F00_2_00A9B0F0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9F8780_2_00A9F878
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9ABB00_2_00A9ABB0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A98C500_2_00A98C50
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A98C500_2_00A98C50
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9F5A00_2_00A9F5A0
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A98DFF0_2_00A98DFF
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A995300_2_00A99530
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_00A9EE530_2_00A9EE53
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_012CDC742_2_012CDC74
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B494982_2_05B49498
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4B7802_2_05B4B780
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4F6602_2_05B4F660
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4C1182_2_05B4C118
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B460902_2_05B46090
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B490302_2_05B49030
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B483982_2_05B48398
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4B2182_2_05B4B218
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4A2402_2_05B4A240
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4DED02_2_05B4DED0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B47B282_2_05B47B28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4CAE82_2_05B4CAE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B49AD82_2_05B49AD8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B494882_2_05B49488
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B454782_2_05B45478
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B457C02_2_05B457C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B407102_2_05B40710
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B407002_2_05B40700
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B490202_2_05B49020
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B483882_2_05B48388
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B4B2082_2_05B4B208
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B49AC72_2_05B49AC7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071B77482_2_071B7748
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071B26382_2_071B2638
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BB4A02_2_071BB4A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BEE282_2_071BEE28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BB9482_2_071BB948
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071B18F02_2_071B18F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BF3332_2_071BF333
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BF3402_2_071BF340
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BFBD82_2_071BFBD8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BFBE82_2_071BFBE8
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: String function: 6CCEC5B0 appears 33 times
                        Source: BqDa1EBEUK.exe, 00000000.00000000.2140738408.00000000001FC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNovaEdge45545279545.exeT vs BqDa1EBEUK.exe
                        Source: BqDa1EBEUK.exe, 00000000.00000002.2144156974.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BqDa1EBEUK.exe
                        Source: BqDa1EBEUK.exe, 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameLeve.exe8 vs BqDa1EBEUK.exe
                        Source: BqDa1EBEUK.exeBinary or memory string: OriginalFilenameNovaEdge45545279545.exeT vs BqDa1EBEUK.exe
                        Source: BqDa1EBEUK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: BqDa1EBEUK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
                        Source: BqDa1EBEUK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: MSBuild.exe, 00000002.00000002.2254089575.0000000003617000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE offer_meLReq$;a
                        Source: BqDa1EBEUK.exeReversingLabs: Detection: 64%
                        Source: unknownProcess created: C:\Users\user\Desktop\BqDa1EBEUK.exe "C:\Users\user\Desktop\BqDa1EBEUK.exe"
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32Jump to behavior
                        Source: BqDa1EBEUK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: BqDa1EBEUK.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: BqDa1EBEUK.exeStatic file information: File size 1610240 > 1048576
                        Source: BqDa1EBEUK.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14b200
                        Source: BqDa1EBEUK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: BqDa1EBEUK.exeStatic PE information: section name: .uk8
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCF7774 push ecx; ret 0_2_6CCF7787
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BD522 pushad ; retn 6B9Ah2_2_071BD58D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BB31C push FFFFFF8Bh; iretd 2_2_071BB31E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_071BB361 push FFFFFF8Bh; iretd 2_2_071BB363
                        Source: BqDa1EBEUK.exeStatic PE information: section name: .text entropy: 7.892081010693948
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory allocated: 23A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 579Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1468Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exe TID: 7128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1772Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5844Thread sleep count: 579 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5844Thread sleep count: 1468 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6540Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCF0A98 FindFirstFileExW,0_2_6CCF0A98
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000033C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655LReq
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: MSBuild.exe, 00000002.00000002.2252915407.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: MSBuild.exe, 00000002.00000002.2257843372.0000000004319000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: MSBuild.exe, 00000002.00000002.2254089575.00000000034A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05B47410 LdrInitializeThunk,2_2_05B47410
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCEC43A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CCEC43A
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCF21BB GetProcessHeap,0_2_6CCF21BB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCEC43A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CCEC43A
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCF03E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CCF03E7
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCEBF61 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CCEBF61
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCE2F70 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CreateProcessW,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,0_2_6CCE2F70
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DE3008Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCEC5F8 cpuid 0_2_6CCEC5F8
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeQueries volume information: C:\Users\user\Desktop\BqDa1EBEUK.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\BqDa1EBEUK.exeCode function: 0_2_6CCEC083 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CCEC083
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: MSBuild.exe, 00000002.00000002.2262970296.0000000005A77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.BqDa1EBEUK.exe.6ccff000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.BqDa1EBEUK.exe.6ccff000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.BqDa1EBEUK.exe.6cce0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.2247337800.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: BqDa1EBEUK.exe PID: 5680, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.BqDa1EBEUK.exe.6ccff000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.BqDa1EBEUK.exe.6ccff000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.BqDa1EBEUK.exe.6cce0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.2247337800.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: BqDa1EBEUK.exe PID: 5680, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		12
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory351
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Software Packing                        		DCSync124
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        BqDa1EBEUK.exe65%ReversingLabsWin32.Trojan.RedLine
                        BqDa1EBEUK.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\d3d9.dll100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\d3d9.dll92%ReversingLabsWin32.Trojan.LummaStealer

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://tempuri.org/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        185.196.9.26:63020%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtabS0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          185.196.9.26:6302true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabMSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDMSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id2ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id4MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ip.sb/ipBqDa1EBEUK.exe, BqDa1EBEUK.exe, 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2247337800.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id20MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.ecosia.org/newtab/MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id11MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id13MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id14MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id17MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id18MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1MSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000002.00000002.2254089575.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trustMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabSMSBuild.exe, 00000002.00000002.2254089575.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id3ResponseDMSBuild.exe, 00000002.00000002.2254089575.0000000003258000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2254089575.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTMSBuild.exe, 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.196.9.26
                          		unknownSwitzerland
                          		42624SIMPLECARRIERCHtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1465369
                          Start date and time:2024-07-01 15:42:54 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 37s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:BqDa1EBEUK.exe
                          renamed because original name is a hash value
                          Original Sample Name:edc0a83088582cf9cc1ed9d7414d387af4c626482d991585e028facc8da51e91.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 44
                          • Number of non-executed functions: 33
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.165.165.26, 2.16.100.168, 88.221.110.91, 192.229.221.95, 52.165.164.15
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: BqDa1EBEUK.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:44:03API Interceptor13x Sleep call for process: MSBuild.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.196.9.26software.exeGet hashmaliciousRedLineBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            fp2e7a.wpc.phicdn.nethttps://www.asarco.com/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://m.exactag.com/ai.aspx?tc=d9288846bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ainjurylawkings.com%2Fwinner%2F13476%2F%2Fc2FuZWV5YS5rYW5nQDJzZmcuY29tGet hashmaliciousHTMLPhisherBrowse
                            • 192.229.221.95
                            Remittance advice.exeGet hashmaliciousAgentTeslaBrowse
                            • 192.229.221.95
                            https://na4.docusign.net/Signing/EmailStart.aspx?a=95fa3666-e4d2-4181-926f-7d752b5d1bb7&acct=4b225f64-a250-4de3-9bb5-6320c76f2c33&er=388f7591-fe27-446f-8df0-11aebdd778b2Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://skofmygytomybosinthrfm.nl/you/hi/okay/okay/their/kkyag/than/to/us/us/invite/Get hashmaliciousHTMLPhisherBrowse
                            • 192.229.221.95
                            http://links.notification.intuit.com/ls/click?upn=u001.4HBRtPy8j6uXsK2aeX2RzAh5EFPhCIIFV3VEN-2Fx7CtL7yL0rqbEG5To4Yn7gWqQ9aLy0xQjXtfA1aWI51jOBcgZZmdPU7rNXiI9qBQrw0Fh0XMUzwxEuUgv3ZFNQWIem-2BNTPYnrL9k9a1nDRjz4a88WPYyDduqTuKohuiQXsusYwJ-2FidZWWf8oC-2Bke5XZf6maHD-2Fd7ablYFhYAopCg9-2FJ24-2F8yZwA220wlNNRUX0yppVttR34V4P26behAEAgmPnWgi1QdqkcH8GVovfzu4LIw-3D-3DQBy7_5Y9C-2B-2Fzbmi1Z8AZ1P0Xb45Ep-2FzkkH96c1HQoTeKyfF3Cy9GA0JrKF-2FtBKU7Gy7tV6PIIEw2aSpbKuiOE5zUrdfKHijLS1CrX6di2rdCWz3230MnOWYRyIFetWhrSPF9k5LzSphdJmNETjrHElDpdShj1s4ILnQWpWcU1acTiMnif850-2BYV-2F5lXeG2jTC-2BOwApN8qupRmwT8fNNE9PPcwErJLxahBxSpmSq91gTlumLJlQuv6Mi-2FueOgXZeZsKYVaksXeYc4hm3iYcmZyYCYz0c5CytX-2FkcYDgjcEPGcMdE4wdmef7F34ZhNuR1BzXUZca-2BlM-2FSHy6Wcv-2B44fNGLavW0-2FgwmkSe7DWrN2Qxs4-2BbmqEK8zVd2B-2F-2BfhLv7s-2BwUYCFzSfpco2w0S0EkPk2QiaigfgYJrhsDWFQrr8XAjN8LEK9fzOOYMlKBdNBCCovn1-2BQdoVowInLACYcfv7UF18ixzp9yjXcoI2GtVtXTFy0zwL-2BunyW6y6aLD3UTkKp7eGuS-2Fs2l9K233QQTHOgsxIsW5yOnAipuno6Jz4FUupJjvG-2FSd7m5GLY99tPmOlknWYVUdaS4l4nbH7zNFdVoP-2Fmr7J9FoB812uhszre4JhgikLbqFLMCT1av4GEdnKOwpstUkw9rVNgxd2MHPktA30uhIQeOnTGGKgw66UsPvJvw-3DGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://www.thehorizondispatch.comGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Ftelegra.ph%2FDavis-Insurance-Agency-LLC-06-28&E=kgarber%40woodlandsbank.com&X=XID311CFbwQP1837Xd1&T=WDLP&HV=U,E,X,T&H=3a14786ee7a8dd2b0305ef5dd961d4108cbfaf34Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://62.133.61.56/Downloads/Full%20Video%20HD%20(1080p).lnkGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://m.exactag.com/ai.aspx?tc=d9476116bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ajeffreyhensley.com%2Fwinner%2F54980%2F%2Fa2VlbGV5LmhvbGdhdGVAMnNmZy5jb20=Get hashmaliciousHTMLPhisherBrowse
                            • 192.229.221.95

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SIMPLECARRIERCHJr7B1jZMaT.exeGet hashmaliciousNovaSentinelBrowse
                            • 185.196.9.89
                            software.exeGet hashmaliciousRedLineBrowse
                            • 185.196.9.26
                            rIlzbkxg.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.9.150
                            AaSwePhLEn.exeGet hashmaliciousRHADAMANTHYSBrowse
                            • 185.196.9.57
                            rlytKovocev.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            rrTqdiabb.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.9.150
                            8uy7ZljOoi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            Dekont-31.05.2024.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            DerI9qwTwK.elfGet hashmaliciousKaijiBrowse
                            • 185.196.9.180

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BqDa1EBEUK.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\BqDa1EBEUK.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):226
                            Entropy (8bit):5.360398796477698
                            Encrypted:false
                            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                            MD5:3A8957C6382192B71471BD14359D0B12
                            SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                            SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                            SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3094
                            Entropy (8bit):5.33145931749415
                            Encrypted:false
                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                            MD5:2A56468A7C0F324A42EA599BF0511FAF
                            SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                            SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                            SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Roaming\d3d9.dll

                            Download File
                            Process:C:\Users\user\Desktop\BqDa1EBEUK.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):428544
                            Entropy (8bit):5.914119690385502
                            Encrypted:false
                            SSDEEP:6144:4FH+Bu7AxSB5DrwtaroV0XWo44gdY+3E3mHZf5NWL+rFI:ueA7AqrwtaxlgdY+3E3mo
                            MD5:0733702D1847B275961A140D86338CF3
                            SHA1:9FEDBBD481EFE7BF36AD9F29D498E713D20A540D
                            SHA-256:928A5A928CE6419448FE53F3C8FAE38F246FE6DB7228E38E761C5113A052F55B
                            SHA-512:48ACEF460899768931167C62019F06A708C8AE06CBFB714153172CE147D831E55258E5EA634B0325F898AEC2161670A21F22A0AAE3DBB6AC01E3B7578ABC8A4F
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 92%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L.....xf...........!...&.j...&......>.....................................................@.............................x...x...<................................... ...............................`...@...............P............................text....i.......j.................. ..`.rdata...d.......f...n..............@..@.data...\...........................@....reloc...............v..............@..B................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.795023263375608
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                            • Win32 Executable (generic) a (10002005/4) 49.96%
                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:BqDa1EBEUK.exe
                            File size:1'610'240 bytes
                            MD5:aa9d475bc02429a35578c7c7495391c0
                            SHA1:aefabfe061db6b6013e842c1ff5afb09b5686a6a
                            SHA256:edc0a83088582cf9cc1ed9d7414d387af4c626482d991585e028facc8da51e91
                            SHA512:3b058dee4b5a959b64e1ade4206f87a4ec46594b58a270866920318593d98c9025b15d17c3486f1595955238cedde86f1b2a8ebb722cc1668c315a9fcd31560a
                            SSDEEP:24576:iUwjiv9SI194bspApcCmILYKV+u9O4qZFIYJnddR+Xk85PPU5cgyXd8UOybz:ROivgHcCmIf+u9YZrpk9BRdhbz
                            TLSH:CD758DF721775044F717BF722350497ACBA47A202C51DFA9B14E5DA3C733A42A388AB9
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xf................................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x54d0be
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows cui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x667810BC [Sun Jun 23 12:10:36 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x14d0680x53.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x18c0000x6e0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x18e0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x1650000x48.uk8
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x14b0c40x14b200e10568eaee832c386f273bc5c1fa5f9eFalse0.7892608354567762data7.892081010693948IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .uk80x14e0000x3c6300x3c8008b44cc85776ca7ad6bb90af56a5af84bFalse0.5767085808367769data6.38152009581441IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x18c0000x6e00x8005140979a788770a89120ea37db099585False0.3642578125data3.7677058451231376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x18e0000xc0x20050d3c35f580058964369e5f57c3783a4False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x18c0a00x450data0.39945652173913043
                            RT_MANIFEST0x18c4f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            07/01/24-15:43:58.016995TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497056302192.168.2.5185.196.9.26
                            07/01/24-15:44:06.078345TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497056302192.168.2.5185.196.9.26
                            07/01/24-15:43:58.383566TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response630249705185.196.9.26192.168.2.5
                            07/01/24-15:44:03.740669TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)630249705185.196.9.26192.168.2.5

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 1, 2024 15:43:51.186131001 CEST49673443192.168.2.523.1.237.91
                            Jul 1, 2024 15:43:57.136236906 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:43:57.141140938 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:43:57.142323971 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:43:57.150913954 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:43:57.159437895 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:43:57.984177113 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:43:58.016994953 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:43:58.022028923 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:43:58.383565903 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:43:58.436091900 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:43:59.967310905 CEST49674443192.168.2.523.1.237.91
                            Jul 1, 2024 15:43:59.967323065 CEST49675443192.168.2.523.1.237.91
                            Jul 1, 2024 15:44:00.795516968 CEST49673443192.168.2.523.1.237.91
                            Jul 1, 2024 15:44:02.479899883 CEST4434970323.1.237.91192.168.2.5
                            Jul 1, 2024 15:44:02.480065107 CEST49703443192.168.2.523.1.237.91
                            Jul 1, 2024 15:44:03.459609985 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:03.464586973 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:03.740669012 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:03.741537094 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:03.741553068 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:03.741655111 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:03.744950056 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:03.744967937 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:03.745049000 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:03.795434952 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.559401989 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.564361095 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564390898 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564424992 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.564460993 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.564543962 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564554930 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564619064 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.564651966 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564662933 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564701080 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.564867020 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564872026 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564877987 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.564912081 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:05.565223932 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569333076 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569366932 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569444895 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569456100 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569529057 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569540977 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.569680929 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:05.570168018 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:06.077522039 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:06.078345060 CEST497056302192.168.2.5185.196.9.26
                            Jul 1, 2024 15:44:06.083195925 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:06.355707884 CEST630249705185.196.9.26192.168.2.5
                            Jul 1, 2024 15:44:06.392554998 CEST497056302192.168.2.5185.196.9.26

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 1, 2024 15:44:11.864598989 CEST1.1.1.1192.168.2.50x3a1dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Jul 1, 2024 15:44:11.864598989 CEST1.1.1.1192.168.2.50x3a1dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                            Jul 1, 2024 15:44:25.228127003 CEST1.1.1.1192.168.2.50xa74bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Jul 1, 2024 15:44:25.228127003 CEST1.1.1.1192.168.2.50xa74bNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:43:54
                            Start date:01/07/2024
                            Path:C:\Users\user\Desktop\BqDa1EBEUK.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\BqDa1EBEUK.exe"
                            Imagebase:0x70000
                            File size:1'610'240 bytes
                            MD5 hash:AA9D475BC02429A35578C7C7495391C0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:09:43:54
                            Start date:01/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:09:43:55
                            Start date:01/07/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0xac0000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2247337800.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2254089575.0000000003124000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:28.2%
                              Dynamic/Decrypted Code Coverage:1.1%
                              Signature Coverage:9.7%
                              Total number of Nodes:703
                              Total number of Limit Nodes:20
                              execution_graph 12714 6ccebbfe 12715 6ccebc3c 12714->12715 12716 6ccebc09 12714->12716 12753 6ccebd58 12715->12753 12718 6ccebc2e 12716->12718 12719 6ccebc0e 12716->12719 12726 6ccebc51 12718->12726 12720 6ccebc24 12719->12720 12721 6ccebc13 12719->12721 12745 6ccec20b 12720->12745 12725 6ccebc18 12721->12725 12740 6ccec22a 12721->12740 12727 6ccebc5d __FrameHandler3::FrameUnwindToState 12726->12727 12776 6ccec29b 12727->12776 12729 6ccebc64 __DllMainCRTStartup@12 12730 6ccebc8b 12729->12730 12731 6ccebd50 12729->12731 12737 6ccebcc7 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 12729->12737 12787 6ccec1fd 12730->12787 12795 6ccec43a IsProcessorFeaturePresent 12731->12795 12734 6ccebd57 12735 6ccebc9a __RTC_Initialize 12735->12737 12790 6ccec11b InitializeSListHead 12735->12790 12737->12725 12738 6ccebca8 12738->12737 12791 6ccec1d2 12738->12791 13061 6ccef8c3 12740->13061 13267 6cced0fc 12745->13267 12748 6ccec214 12748->12725 12751 6ccec227 12751->12725 12752 6cced107 21 API calls 12752->12748 12754 6ccebd64 __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 12753->12754 12755 6ccebd95 12754->12755 12756 6ccebe00 12754->12756 12768 6ccebd6d 12754->12768 13287 6ccec26b 12755->13287 12758 6ccec43a __DllMainCRTStartup@12 4 API calls 12756->12758 12761 6ccebe07 __FrameHandler3::FrameUnwindToState 12758->12761 12759 6ccebd9a 13296 6ccec127 12759->13296 12762 6ccebe3d dllmain_raw 12761->12762 12772 6ccebe38 __DllMainCRTStartup@12 12761->12772 12773 6ccebe23 12761->12773 12764 6ccebe57 dllmain_crt_dispatch 12762->12764 12762->12773 12763 6ccebd9f __RTC_Initialize __DllMainCRTStartup@12 13299 6ccec40c 12763->13299 12764->12772 12764->12773 12768->12725 12769 6ccebea9 12770 6ccebeb2 dllmain_crt_dispatch 12769->12770 12769->12773 12771 6ccebec5 dllmain_raw 12770->12771 12770->12773 12771->12773 12772->12769 12774 6ccebd58 __DllMainCRTStartup@12 81 API calls 12772->12774 12773->12725 12775 6ccebe9e dllmain_raw 12774->12775 12775->12769 12777 6ccec2a4 12776->12777 12799 6ccec5f8 IsProcessorFeaturePresent 12777->12799 12781 6ccec2b5 12782 6ccec2b9 12781->12782 12809 6ccef8a6 12781->12809 12782->12729 12785 6ccec2d0 12785->12729 13055 6ccec2d4 12787->13055 12789 6ccec204 12789->12735 12790->12738 12792 6ccec1d7 ___scrt_release_startup_lock 12791->12792 12793 6ccec5f8 IsProcessorFeaturePresent 12792->12793 12794 6ccec1e0 12792->12794 12793->12794 12794->12737 12796 6ccec450 __FrameHandler3::FrameUnwindToState 12795->12796 12797 6ccec4fb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12796->12797 12798 6ccec53f __FrameHandler3::FrameUnwindToState 12797->12798 12798->12734 12800 6ccec2b0 12799->12800 12801 6cced0dd 12800->12801 12818 6cced5ac 12801->12818 12804 6cced0e6 12804->12781 12806 6cced0ee 12807 6cced0f9 12806->12807 12832 6cced5e8 12806->12832 12807->12781 12872 6ccf23c8 12809->12872 12812 6cced10f 12813 6cced118 12812->12813 12814 6cced122 12812->12814 12815 6cced591 ___vcrt_uninitialize_ptd 6 API calls 12813->12815 12814->12782 12816 6cced11d 12815->12816 12817 6cced5e8 ___vcrt_uninitialize_locks DeleteCriticalSection 12816->12817 12817->12814 12819 6cced5b5 12818->12819 12821 6cced5de 12819->12821 12823 6cced0e2 12819->12823 12836 6ccedbdc 12819->12836 12822 6cced5e8 ___vcrt_uninitialize_locks DeleteCriticalSection 12821->12822 12822->12823 12823->12804 12824 6cced55e 12823->12824 12853 6ccedaed 12824->12853 12827 6cced573 12827->12806 12830 6cced58e 12830->12806 12833 6cced5f3 12832->12833 12835 6cced612 12832->12835 12834 6cced5fd DeleteCriticalSection 12833->12834 12834->12834 12834->12835 12835->12804 12841 6cceda02 12836->12841 12839 6ccedbff 12839->12819 12840 6ccedc14 InitializeCriticalSectionAndSpinCount 12840->12839 12842 6cceda1f 12841->12842 12843 6cceda23 12841->12843 12842->12839 12842->12840 12843->12842 12844 6cceda8b GetProcAddress 12843->12844 12846 6cceda7c 12843->12846 12848 6ccedaa2 LoadLibraryExW 12843->12848 12844->12842 12846->12844 12847 6cceda84 FreeLibrary 12846->12847 12847->12844 12849 6ccedae9 12848->12849 12850 6ccedab9 GetLastError 12848->12850 12849->12843 12850->12849 12851 6ccedac4 ___vcrt_InitializeCriticalSectionEx 12850->12851 12851->12849 12852 6ccedada LoadLibraryExW 12851->12852 12852->12843 12854 6cceda02 ___vcrt_InitializeCriticalSectionEx 5 API calls 12853->12854 12855 6ccedb07 12854->12855 12856 6ccedb20 TlsAlloc 12855->12856 12857 6cced568 12855->12857 12857->12827 12858 6ccedb9e 12857->12858 12859 6cceda02 ___vcrt_InitializeCriticalSectionEx 5 API calls 12858->12859 12860 6ccedbb8 12859->12860 12861 6cced581 12860->12861 12862 6ccedbd3 TlsSetValue 12860->12862 12861->12830 12863 6cced591 12861->12863 12862->12861 12864 6cced59b 12863->12864 12865 6cced5a1 12863->12865 12867 6ccedb28 12864->12867 12865->12827 12868 6cceda02 ___vcrt_InitializeCriticalSectionEx 5 API calls 12867->12868 12869 6ccedb42 12868->12869 12870 6ccedb5a TlsFree 12869->12870 12871 6ccedb4e 12869->12871 12870->12871 12871->12865 12873 6ccf23d8 12872->12873 12874 6ccec2c2 12872->12874 12873->12874 12877 6ccf233c 12873->12877 12889 6ccf228c 12873->12889 12874->12785 12874->12812 12878 6ccf2348 __FrameHandler3::FrameUnwindToState 12877->12878 12894 6ccf0313 EnterCriticalSection 12878->12894 12880 6ccf234f 12895 6ccf3eb4 12880->12895 12887 6ccf228c 2 API calls 12888 6ccf236d 12887->12888 12914 6ccf2393 12888->12914 12891 6ccf2293 12889->12891 12890 6ccf22d6 GetStdHandle 12890->12891 12891->12890 12892 6ccf2338 12891->12892 12893 6ccf22e9 GetFileType 12891->12893 12892->12873 12893->12891 12894->12880 12896 6ccf3ec0 __FrameHandler3::FrameUnwindToState 12895->12896 12897 6ccf3eea 12896->12897 12898 6ccf3ec9 12896->12898 12917 6ccf0313 EnterCriticalSection 12897->12917 12925 6ccf06c4 12898->12925 12903 6ccf235e 12903->12888 12908 6ccf21d6 GetStartupInfoW 12903->12908 12904 6ccf3f22 12931 6ccf3f49 12904->12931 12905 6ccf3ef6 12905->12904 12918 6ccf3e04 12905->12918 12909 6ccf2287 12908->12909 12910 6ccf21f3 12908->12910 12909->12887 12910->12909 12911 6ccf3eb4 30 API calls 12910->12911 12912 6ccf221b 12911->12912 12912->12909 12913 6ccf224b GetFileType 12912->12913 12913->12912 13054 6ccf035b LeaveCriticalSection 12914->13054 12916 6ccf237e 12916->12873 12917->12905 12934 6ccf06d7 12918->12934 12920 6ccf3e23 12946 6ccf0734 12920->12946 12921 6ccf3e16 12921->12920 12941 6ccf2098 12921->12941 12975 6ccf0138 GetLastError 12925->12975 12927 6ccf06c9 12928 6ccf05e3 12927->12928 13027 6ccf052f 12928->13027 12930 6ccf05ef 12930->12903 13053 6ccf035b LeaveCriticalSection 12931->13053 12933 6ccf3f50 12933->12903 12940 6ccf06e4 _unexpected 12934->12940 12935 6ccf0724 12937 6ccf06c4 __dosmaperr 13 API calls 12935->12937 12936 6ccf070f RtlAllocateHeap 12938 6ccf0722 12936->12938 12936->12940 12937->12938 12938->12921 12940->12935 12940->12936 12952 6ccf2470 12940->12952 12961 6ccf1eb5 12941->12961 12943 6ccf20b4 12944 6ccf20d2 InitializeCriticalSectionAndSpinCount 12943->12944 12945 6ccf20bd 12943->12945 12944->12945 12945->12921 12947 6ccf073f HeapFree 12946->12947 12948 6ccf0769 12946->12948 12947->12948 12949 6ccf0754 GetLastError 12947->12949 12948->12905 12950 6ccf0761 __dosmaperr 12949->12950 12951 6ccf06c4 __dosmaperr 12 API calls 12950->12951 12951->12948 12955 6ccf249c 12952->12955 12956 6ccf24a8 __FrameHandler3::FrameUnwindToState 12955->12956 12957 6ccf0313 __FrameHandler3::FrameUnwindToState EnterCriticalSection 12956->12957 12958 6ccf24b3 __FrameHandler3::FrameUnwindToState 12957->12958 12959 6ccf24ea _unexpected LeaveCriticalSection 12958->12959 12960 6ccf247b 12959->12960 12960->12940 12962 6ccf1ee5 12961->12962 12966 6ccf1ee1 _unexpected 12961->12966 12962->12966 12967 6ccf1dea 12962->12967 12965 6ccf1eff GetProcAddress 12965->12966 12966->12943 12973 6ccf1dfb ___vcrt_InitializeCriticalSectionEx 12967->12973 12968 6ccf1e19 LoadLibraryExW 12970 6ccf1e98 12968->12970 12971 6ccf1e34 GetLastError 12968->12971 12969 6ccf1e91 12969->12965 12969->12966 12970->12969 12972 6ccf1eaa FreeLibrary 12970->12972 12971->12973 12972->12969 12973->12968 12973->12969 12974 6ccf1e67 LoadLibraryExW 12973->12974 12974->12970 12974->12973 12976 6ccf014e 12975->12976 12980 6ccf0154 12975->12980 12998 6ccf2017 12976->12998 12995 6ccf0158 SetLastError 12980->12995 13003 6ccf2056 12980->13003 12982 6ccf06d7 _unexpected 12 API calls 12983 6ccf0185 12982->12983 12984 6ccf019e 12983->12984 12985 6ccf018d 12983->12985 12987 6ccf2056 _unexpected 6 API calls 12984->12987 12986 6ccf2056 _unexpected 6 API calls 12985->12986 12988 6ccf019b 12986->12988 12989 6ccf01aa 12987->12989 12993 6ccf0734 __freea 12 API calls 12988->12993 12990 6ccf01ae 12989->12990 12991 6ccf01c5 12989->12991 12992 6ccf2056 _unexpected 6 API calls 12990->12992 13008 6ccefde9 12991->13008 12992->12988 12993->12995 12995->12927 12997 6ccf0734 __freea 12 API calls 12997->12995 12999 6ccf1eb5 _unexpected 5 API calls 12998->12999 13000 6ccf2033 12999->13000 13001 6ccf204e TlsGetValue 13000->13001 13002 6ccf203c 13000->13002 13002->12980 13004 6ccf1eb5 _unexpected 5 API calls 13003->13004 13005 6ccf2072 13004->13005 13006 6ccf0170 13005->13006 13007 6ccf2090 TlsSetValue 13005->13007 13006->12982 13006->12995 13013 6ccefc7d 13008->13013 13014 6ccefc89 __FrameHandler3::FrameUnwindToState 13013->13014 13015 6ccf0313 __FrameHandler3::FrameUnwindToState EnterCriticalSection 13014->13015 13016 6ccefc93 13015->13016 13017 6ccefcc3 _unexpected LeaveCriticalSection 13016->13017 13018 6ccefcb1 13017->13018 13019 6ccefd8f 13018->13019 13020 6ccefd9b __FrameHandler3::FrameUnwindToState 13019->13020 13021 6ccf0313 __FrameHandler3::FrameUnwindToState EnterCriticalSection 13020->13021 13022 6ccefda5 13021->13022 13023 6cceff70 _unexpected 14 API calls 13022->13023 13024 6ccefdbd 13023->13024 13025 6ccefddd _unexpected LeaveCriticalSection 13024->13025 13026 6ccefdcb 13025->13026 13026->12997 13028 6ccf0541 ___std_exception_copy 13027->13028 13031 6ccf0566 13028->13031 13030 6ccf0559 ___std_exception_copy 13030->12930 13032 6ccf0576 13031->13032 13033 6ccf057d 13031->13033 13042 6ccefab0 GetLastError 13032->13042 13038 6ccf058b 13033->13038 13046 6ccf03be 13033->13046 13036 6ccf05b2 13036->13038 13049 6ccf05f3 IsProcessorFeaturePresent 13036->13049 13038->13030 13039 6ccf05e2 13040 6ccf052f ___std_exception_copy 29 API calls 13039->13040 13041 6ccf05ef 13040->13041 13041->13030 13043 6ccefac9 13042->13043 13044 6ccf01e9 ___std_exception_copy 14 API calls 13043->13044 13045 6ccefae5 SetLastError 13044->13045 13045->13033 13047 6ccf03c9 GetLastError SetLastError 13046->13047 13048 6ccf03e2 13046->13048 13047->13036 13048->13036 13050 6ccf05ff 13049->13050 13051 6ccf03e7 __FrameHandler3::FrameUnwindToState 8 API calls 13050->13051 13052 6ccf0614 GetCurrentProcess TerminateProcess 13051->13052 13052->13039 13053->12933 13054->12916 13056 6ccec2e4 13055->13056 13057 6ccec2e0 13055->13057 13058 6ccec2f1 ___scrt_release_startup_lock 13056->13058 13059 6ccec43a __DllMainCRTStartup@12 4 API calls 13056->13059 13057->12789 13058->12789 13060 6ccec35a 13059->13060 13067 6cceffbb 13061->13067 13064 6cced107 13247 6cced493 13064->13247 13068 6ccec22f 13067->13068 13069 6cceffc5 13067->13069 13068->13064 13070 6ccf2017 _unexpected 6 API calls 13069->13070 13071 6cceffcc 13070->13071 13071->13068 13072 6ccf2056 _unexpected 6 API calls 13071->13072 13073 6cceffdf 13072->13073 13075 6ccefe82 13073->13075 13076 6ccefe8d 13075->13076 13080 6ccefe9d 13075->13080 13081 6ccefea3 13076->13081 13079 6ccf0734 __freea 14 API calls 13079->13080 13080->13068 13082 6ccefeb8 13081->13082 13083 6ccefebe 13081->13083 13085 6ccf0734 __freea 14 API calls 13082->13085 13084 6ccf0734 __freea 14 API calls 13083->13084 13086 6ccefeca 13084->13086 13085->13083 13087 6ccf0734 __freea 14 API calls 13086->13087 13088 6ccefed5 13087->13088 13089 6ccf0734 __freea 14 API calls 13088->13089 13090 6ccefee0 13089->13090 13091 6ccf0734 __freea 14 API calls 13090->13091 13092 6ccefeeb 13091->13092 13093 6ccf0734 __freea 14 API calls 13092->13093 13094 6ccefef6 13093->13094 13095 6ccf0734 __freea 14 API calls 13094->13095 13096 6cceff01 13095->13096 13097 6ccf0734 __freea 14 API calls 13096->13097 13098 6cceff0c 13097->13098 13099 6ccf0734 __freea 14 API calls 13098->13099 13100 6cceff17 13099->13100 13101 6ccf0734 __freea 14 API calls 13100->13101 13102 6cceff25 13101->13102 13107 6ccefccf 13102->13107 13108 6ccefcdb __FrameHandler3::FrameUnwindToState 13107->13108 13123 6ccf0313 EnterCriticalSection 13108->13123 13110 6ccefd0f 13124 6ccefd2e 13110->13124 13112 6ccefce5 13112->13110 13114 6ccf0734 __freea 14 API calls 13112->13114 13114->13110 13115 6ccefd3a 13116 6ccefd46 __FrameHandler3::FrameUnwindToState 13115->13116 13128 6ccf0313 EnterCriticalSection 13116->13128 13118 6ccefd50 13129 6cceff70 13118->13129 13120 6ccefd63 13133 6ccefd83 13120->13133 13123->13112 13127 6ccf035b LeaveCriticalSection 13124->13127 13126 6ccefd1c 13126->13115 13127->13126 13128->13118 13130 6cceffa6 _unexpected 13129->13130 13131 6cceff7f _unexpected 13129->13131 13130->13120 13131->13130 13136 6ccf2fcb 13131->13136 13246 6ccf035b LeaveCriticalSection 13133->13246 13135 6ccefd71 13135->13079 13137 6ccf304b 13136->13137 13142 6ccf2fe1 13136->13142 13139 6ccf0734 __freea 14 API calls 13137->13139 13163 6ccf3099 13137->13163 13140 6ccf306d 13139->13140 13143 6ccf0734 __freea 14 API calls 13140->13143 13141 6ccf3014 13144 6ccf3036 13141->13144 13152 6ccf0734 __freea 14 API calls 13141->13152 13142->13137 13142->13141 13145 6ccf0734 __freea 14 API calls 13142->13145 13146 6ccf3080 13143->13146 13147 6ccf0734 __freea 14 API calls 13144->13147 13150 6ccf3009 13145->13150 13151 6ccf0734 __freea 14 API calls 13146->13151 13153 6ccf3040 13147->13153 13148 6ccf3107 13154 6ccf0734 __freea 14 API calls 13148->13154 13149 6ccf30a7 13149->13148 13162 6ccf0734 14 API calls __freea 13149->13162 13164 6ccf4f48 13150->13164 13156 6ccf308e 13151->13156 13157 6ccf302b 13152->13157 13158 6ccf0734 __freea 14 API calls 13153->13158 13159 6ccf310d 13154->13159 13160 6ccf0734 __freea 14 API calls 13156->13160 13192 6ccf5046 13157->13192 13158->13137 13159->13130 13160->13163 13162->13149 13204 6ccf313c 13163->13204 13165 6ccf4f59 13164->13165 13191 6ccf5042 13164->13191 13166 6ccf4f6a 13165->13166 13168 6ccf0734 __freea 14 API calls 13165->13168 13167 6ccf4f7c 13166->13167 13169 6ccf0734 __freea 14 API calls 13166->13169 13170 6ccf4f8e 13167->13170 13171 6ccf0734 __freea 14 API calls 13167->13171 13168->13166 13169->13167 13172 6ccf4fa0 13170->13172 13173 6ccf0734 __freea 14 API calls 13170->13173 13171->13170 13174 6ccf0734 __freea 14 API calls 13172->13174 13178 6ccf4fb2 13172->13178 13173->13172 13174->13178 13175 6ccf0734 __freea 14 API calls 13177 6ccf4fc4 13175->13177 13176 6ccf4fd6 13180 6ccf4fe8 13176->13180 13181 6ccf0734 __freea 14 API calls 13176->13181 13177->13176 13179 6ccf0734 __freea 14 API calls 13177->13179 13178->13175 13178->13177 13179->13176 13182 6ccf4ffa 13180->13182 13184 6ccf0734 __freea 14 API calls 13180->13184 13181->13180 13183 6ccf500c 13182->13183 13185 6ccf0734 __freea 14 API calls 13182->13185 13186 6ccf501e 13183->13186 13187 6ccf0734 __freea 14 API calls 13183->13187 13184->13182 13185->13183 13188 6ccf5030 13186->13188 13189 6ccf0734 __freea 14 API calls 13186->13189 13187->13186 13190 6ccf0734 __freea 14 API calls 13188->13190 13188->13191 13189->13188 13190->13191 13191->13141 13193 6ccf50ab 13192->13193 13194 6ccf5053 13192->13194 13193->13144 13195 6ccf5063 13194->13195 13197 6ccf0734 __freea 14 API calls 13194->13197 13196 6ccf5075 13195->13196 13198 6ccf0734 __freea 14 API calls 13195->13198 13199 6ccf5087 13196->13199 13200 6ccf0734 __freea 14 API calls 13196->13200 13197->13195 13198->13196 13201 6ccf5099 13199->13201 13202 6ccf0734 __freea 14 API calls 13199->13202 13200->13199 13201->13193 13203 6ccf0734 __freea 14 API calls 13201->13203 13202->13201 13203->13193 13205 6ccf3168 13204->13205 13206 6ccf3149 13204->13206 13205->13149 13206->13205 13210 6ccf50d4 13206->13210 13209 6ccf0734 __freea 14 API calls 13209->13205 13211 6ccf3162 13210->13211 13212 6ccf50e5 13210->13212 13211->13209 13213 6ccf50af _unexpected 14 API calls 13212->13213 13214 6ccf50ed 13213->13214 13215 6ccf50af _unexpected 14 API calls 13214->13215 13216 6ccf50f8 13215->13216 13217 6ccf50af _unexpected 14 API calls 13216->13217 13218 6ccf5103 13217->13218 13219 6ccf50af _unexpected 14 API calls 13218->13219 13220 6ccf510e 13219->13220 13221 6ccf50af _unexpected 14 API calls 13220->13221 13222 6ccf511c 13221->13222 13223 6ccf0734 __freea 14 API calls 13222->13223 13224 6ccf5127 13223->13224 13225 6ccf0734 __freea 14 API calls 13224->13225 13226 6ccf5132 13225->13226 13227 6ccf0734 __freea 14 API calls 13226->13227 13228 6ccf513d 13227->13228 13229 6ccf50af _unexpected 14 API calls 13228->13229 13230 6ccf514b 13229->13230 13231 6ccf50af _unexpected 14 API calls 13230->13231 13232 6ccf5159 13231->13232 13233 6ccf50af _unexpected 14 API calls 13232->13233 13234 6ccf516a 13233->13234 13235 6ccf50af _unexpected 14 API calls 13234->13235 13236 6ccf5178 13235->13236 13237 6ccf50af _unexpected 14 API calls 13236->13237 13238 6ccf5186 13237->13238 13239 6ccf0734 __freea 14 API calls 13238->13239 13240 6ccf5191 13239->13240 13241 6ccf0734 __freea 14 API calls 13240->13241 13242 6ccf519c 13241->13242 13243 6ccf0734 __freea 14 API calls 13242->13243 13244 6ccf51a7 13243->13244 13245 6ccf0734 __freea 14 API calls 13244->13245 13245->13211 13246->13135 13248 6cced49d 13247->13248 13254 6ccec234 13247->13254 13255 6ccedb63 13248->13255 13251 6ccedb9e ___vcrt_FlsSetValue 6 API calls 13252 6cced4b3 13251->13252 13260 6cced477 13252->13260 13254->12725 13256 6cceda02 ___vcrt_InitializeCriticalSectionEx 5 API calls 13255->13256 13257 6ccedb7d 13256->13257 13258 6cced4a4 13257->13258 13259 6ccedb95 TlsGetValue 13257->13259 13258->13251 13259->13258 13261 6cced48e 13260->13261 13262 6cced481 13260->13262 13261->13254 13262->13261 13264 6ccef949 13262->13264 13265 6ccf0734 __freea 14 API calls 13264->13265 13266 6ccef961 13265->13266 13266->13261 13273 6cced4cc 13267->13273 13269 6ccec210 13269->12748 13270 6ccef8b8 13269->13270 13271 6ccf0138 __dosmaperr 14 API calls 13270->13271 13272 6ccec21c 13271->13272 13272->12751 13272->12752 13274 6cced4d8 GetLastError 13273->13274 13275 6cced4d5 13273->13275 13276 6ccedb63 ___vcrt_FlsGetValue 6 API calls 13274->13276 13275->13269 13277 6cced4ed 13276->13277 13278 6cced50c 13277->13278 13279 6cced552 SetLastError 13277->13279 13280 6ccedb9e ___vcrt_FlsSetValue 6 API calls 13277->13280 13278->13279 13279->13269 13281 6cced506 __FrameHandler3::FrameUnwindToState 13280->13281 13281->13278 13282 6cced52e 13281->13282 13284 6ccedb9e ___vcrt_FlsSetValue 6 API calls 13281->13284 13283 6ccedb9e ___vcrt_FlsSetValue 6 API calls 13282->13283 13285 6cced542 13282->13285 13283->13285 13284->13282 13286 6ccef949 ___std_type_info_destroy_list 14 API calls 13285->13286 13286->13278 13288 6ccec270 ___scrt_release_startup_lock 13287->13288 13289 6ccec274 13288->13289 13291 6ccec280 __DllMainCRTStartup@12 13288->13291 13308 6ccef722 13289->13308 13293 6ccec28d 13291->13293 13312 6cceef0b 13291->13312 13292 6ccec27e 13292->12759 13293->12759 13381 6cced0ba InterlockedFlushSList 13296->13381 13300 6ccec418 13299->13300 13304 6ccebdbe 13300->13304 13385 6ccef8cb 13300->13385 13302 6ccec426 13303 6cced10f ___scrt_uninitialize_crt 7 API calls 13302->13303 13303->13304 13305 6ccebdfa 13304->13305 13481 6ccec28e 13305->13481 13309 6ccef72e __EH_prolog3 13308->13309 13323 6ccef5ed 13309->13323 13311 6ccef755 __DllMainCRTStartup@12 13311->13292 13313 6cceef38 13312->13313 13322 6cceef49 13312->13322 13340 6cceefd3 GetModuleHandleW 13313->13340 13317 6cceef87 13317->12759 13347 6cceedbb 13322->13347 13324 6ccef5f9 __FrameHandler3::FrameUnwindToState 13323->13324 13331 6ccf0313 EnterCriticalSection 13324->13331 13326 6ccef607 13332 6ccef648 13326->13332 13331->13326 13333 6ccef667 13332->13333 13334 6ccef614 13332->13334 13333->13334 13335 6ccf0734 __freea 14 API calls 13333->13335 13336 6ccef63c 13334->13336 13335->13334 13339 6ccf035b LeaveCriticalSection 13336->13339 13338 6ccef625 13338->13311 13339->13338 13341 6cceef3d 13340->13341 13341->13322 13342 6ccef02e GetModuleHandleExW 13341->13342 13343 6ccef081 13342->13343 13344 6ccef06d GetProcAddress 13342->13344 13345 6ccef09d 13343->13345 13346 6ccef094 FreeLibrary 13343->13346 13344->13343 13345->13322 13346->13345 13348 6cceedc7 __FrameHandler3::FrameUnwindToState 13347->13348 13362 6ccf0313 EnterCriticalSection 13348->13362 13350 6cceedd1 13363 6cceee23 13350->13363 13352 6cceedde 13367 6cceedfc 13352->13367 13355 6cceefa2 13371 6ccef015 13355->13371 13357 6cceefac 13358 6cceefc0 13357->13358 13359 6cceefb0 GetCurrentProcess TerminateProcess 13357->13359 13360 6ccef02e __FrameHandler3::FrameUnwindToState 3 API calls 13358->13360 13359->13358 13361 6cceefc8 ExitProcess 13360->13361 13362->13350 13364 6cceee2f __FrameHandler3::FrameUnwindToState 13363->13364 13365 6ccef722 __DllMainCRTStartup@12 14 API calls 13364->13365 13366 6cceee93 __FrameHandler3::FrameUnwindToState 13364->13366 13365->13366 13366->13352 13370 6ccf035b LeaveCriticalSection 13367->13370 13369 6cceedea 13369->13317 13369->13355 13370->13369 13374 6ccf0397 13371->13374 13373 6ccef01a __FrameHandler3::FrameUnwindToState 13373->13357 13375 6ccf03a6 __FrameHandler3::FrameUnwindToState 13374->13375 13376 6ccf03b3 13375->13376 13378 6ccf1f3a 13375->13378 13376->13373 13379 6ccf1eb5 _unexpected 5 API calls 13378->13379 13380 6ccf1f56 13379->13380 13380->13376 13382 6cced0ca 13381->13382 13383 6ccec131 13381->13383 13382->13383 13384 6ccef949 ___std_type_info_destroy_list 14 API calls 13382->13384 13383->12763 13384->13382 13386 6ccef8d6 13385->13386 13389 6ccef8e8 ___scrt_uninitialize_crt 13385->13389 13387 6ccef8e4 13386->13387 13390 6ccf2b05 13386->13390 13387->13302 13389->13302 13393 6ccf2996 13390->13393 13396 6ccf28ea 13393->13396 13397 6ccf28f6 __FrameHandler3::FrameUnwindToState 13396->13397 13404 6ccf0313 EnterCriticalSection 13397->13404 13399 6ccf296c 13413 6ccf298a 13399->13413 13400 6ccf2900 ___scrt_uninitialize_crt 13400->13399 13405 6ccf285e 13400->13405 13404->13400 13406 6ccf286a __FrameHandler3::FrameUnwindToState 13405->13406 13416 6ccf2c22 EnterCriticalSection 13406->13416 13408 6ccf2874 ___scrt_uninitialize_crt 13409 6ccf28ad 13408->13409 13417 6ccf2aa0 13408->13417 13428 6ccf28de 13409->13428 13480 6ccf035b LeaveCriticalSection 13413->13480 13415 6ccf2978 13415->13387 13416->13408 13418 6ccf2ab5 ___std_exception_copy 13417->13418 13419 6ccf2abc 13418->13419 13420 6ccf2ac7 13418->13420 13421 6ccf2996 ___scrt_uninitialize_crt 68 API calls 13419->13421 13431 6ccf2a37 13420->13431 13424 6ccf2ac2 ___std_exception_copy 13421->13424 13424->13409 13426 6ccf2ae8 13444 6ccf4135 13426->13444 13479 6ccf2c36 LeaveCriticalSection 13428->13479 13430 6ccf28cc 13430->13400 13432 6ccf2a77 13431->13432 13433 6ccf2a50 13431->13433 13432->13424 13437 6ccf2e87 13432->13437 13433->13432 13434 6ccf2e87 ___scrt_uninitialize_crt 29 API calls 13433->13434 13435 6ccf2a6c 13434->13435 13455 6ccf4954 13435->13455 13438 6ccf2ea8 13437->13438 13439 6ccf2e93 13437->13439 13438->13426 13440 6ccf06c4 __dosmaperr 14 API calls 13439->13440 13441 6ccf2e98 13440->13441 13442 6ccf05e3 ___std_exception_copy 29 API calls 13441->13442 13443 6ccf2ea3 13442->13443 13443->13426 13445 6ccf4146 13444->13445 13446 6ccf4153 13444->13446 13447 6ccf06c4 __dosmaperr 14 API calls 13445->13447 13448 6ccf419c 13446->13448 13450 6ccf417a 13446->13450 13454 6ccf414b 13447->13454 13449 6ccf06c4 __dosmaperr 14 API calls 13448->13449 13451 6ccf41a1 13449->13451 13466 6ccf4093 13450->13466 13453 6ccf05e3 ___std_exception_copy 29 API calls 13451->13453 13453->13454 13454->13424 13456 6ccf4960 __FrameHandler3::FrameUnwindToState 13455->13456 13457 6ccf4968 13456->13457 13458 6ccf49a1 13456->13458 13460 6ccf49e7 13456->13460 13457->13432 13459 6ccf0566 ___std_exception_copy 29 API calls 13458->13459 13459->13457 13461 6ccf3f52 ___scrt_uninitialize_crt EnterCriticalSection 13460->13461 13462 6ccf49ed 13461->13462 13463 6ccf4a0b 13462->13463 13464 6ccf4a65 ___scrt_uninitialize_crt 62 API calls 13462->13464 13465 6ccf4a5d ___scrt_uninitialize_crt LeaveCriticalSection 13463->13465 13464->13463 13465->13457 13467 6ccf409f __FrameHandler3::FrameUnwindToState 13466->13467 13468 6ccf3f52 ___scrt_uninitialize_crt EnterCriticalSection 13467->13468 13469 6ccf40ae 13468->13469 13471 6ccf4029 ___scrt_uninitialize_crt 29 API calls 13469->13471 13477 6ccf40f3 13469->13477 13470 6ccf06c4 __dosmaperr 14 API calls 13472 6ccf40fa 13470->13472 13473 6ccf40da FlushFileBuffers 13471->13473 13476 6ccf4129 ___scrt_uninitialize_crt LeaveCriticalSection 13472->13476 13473->13472 13474 6ccf40e6 GetLastError 13473->13474 13475 6ccf06b1 __dosmaperr 14 API calls 13474->13475 13475->13477 13478 6ccf4112 13476->13478 13477->13470 13478->13454 13479->13430 13480->13415 13486 6ccef8fb 13481->13486 13484 6cced591 ___vcrt_uninitialize_ptd 6 API calls 13485 6ccebdff 13484->13485 13485->12768 13489 6ccf02b8 13486->13489 13490 6ccf02c2 13489->13490 13492 6ccec295 13489->13492 13493 6ccf1fd8 13490->13493 13492->13484 13494 6ccf1eb5 _unexpected 5 API calls 13493->13494 13495 6ccf1ff4 13494->13495 13496 6ccf200f TlsFree 13495->13496 13497 6ccf1ffd 13495->13497 13497->13492 13498 6ccebf3e 13499 6ccebf4c 13498->13499 13500 6ccebf47 13498->13500 13504 6ccebe08 13499->13504 13515 6ccec0d0 13500->13515 13507 6ccebe14 __FrameHandler3::FrameUnwindToState 13504->13507 13505 6ccebe23 13506 6ccebe3d dllmain_raw 13506->13505 13508 6ccebe57 dllmain_crt_dispatch 13506->13508 13507->13505 13507->13506 13511 6ccebe38 __DllMainCRTStartup@12 13507->13511 13508->13505 13508->13511 13509 6ccebea9 13509->13505 13510 6ccebeb2 dllmain_crt_dispatch 13509->13510 13510->13505 13512 6ccebec5 dllmain_raw 13510->13512 13511->13509 13513 6ccebd58 __DllMainCRTStartup@12 86 API calls 13511->13513 13512->13505 13514 6ccebe9e dllmain_raw 13513->13514 13514->13509 13516 6ccec0e6 13515->13516 13518 6ccec0ef 13516->13518 13519 6ccec083 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 13516->13519 13518->13499 13519->13518 13520 a9f228 13521 a9f26e LoadLibraryW 13520->13521 13523 a9f2a7 13521->13523 13524 24503c0 13525 2450401 FindCloseChangeNotification 13524->13525 13526 245042e 13525->13526 13527 2450040 13528 245007e 13527->13528 13531 6cce2f70 13528->13531 13556 6cce2f90 __FrameHandler3::FrameUnwindToState 13531->13556 13532 6cce926d CreateProcessW 13532->13556 13533 6ccea889 CloseHandle 13533->13556 13534 6cceb090 VirtualAllocEx 13534->13556 13535 6cceb3e1 WriteProcessMemory 13535->13556 13536 6cceb02c VirtualAlloc GetThreadContext 13536->13556 13537 6cceb38c WriteProcessMemory 13537->13556 13538 6ccea504 WriteProcessMemory 13538->13556 13539 6cceb111 WriteProcessMemory 13540 6cce2c00 5 API calls 13539->13540 13541 6cceb1d0 13540->13541 13541->13556 13542 6ccea380 ReadProcessMemory 13542->13556 13543 6cce965b WriteProcessMemory 13543->13556 13544 6cce9992 WriteProcessMemory 13590 6cce2c00 13544->13590 13546 6cce93b5 VirtualAlloc Wow64GetThreadContext 13546->13556 13547 6ccea826 Wow64SetThreadContext ResumeThread 13547->13556 13548 6ccea73d WriteProcessMemory 13548->13556 13549 6ccea865 CloseHandle 13549->13556 13550 6ccea9a9 13598 6ccebbf0 13550->13598 13552 24500a1 13553 6cce95b9 VirtualAllocEx 13553->13556 13554 6cce5546 GetConsoleWindow ShowWindow 13563 6cce11e0 13554->13563 13556->13532 13556->13533 13556->13534 13556->13535 13556->13536 13556->13537 13556->13538 13556->13539 13556->13542 13556->13543 13556->13544 13556->13546 13556->13547 13556->13548 13556->13549 13556->13550 13556->13553 13556->13554 13557 6cce11e0 20 API calls 13556->13557 13558 6cceafc3 CreateProcessW 13556->13558 13560 6cceb2f5 ReadProcessMemory 13556->13560 13582 6cce2790 GetModuleHandleW 13556->13582 13594 6cce1000 13556->13594 13557->13556 13558->13556 13560->13556 13575 6cce1248 __InternalCxxFrameHandler 13563->13575 13564 6cce1c18 GetModuleFileNameA CreateFileA 13564->13575 13565 6cce1af1 K32GetModuleInformation 13565->13575 13566 6cce2626 13567 6ccebbf0 CatchGuardHandler 5 API calls 13566->13567 13568 6cce2630 13567->13568 13568->13556 13569 6cce2647 GetCurrentProcess 13570 6ccec7f0 __FrameHandler3::FrameUnwindToState 13569->13570 13571 6cce2688 GetModuleHandleA 13570->13571 13571->13575 13572 6cce1f55 MapViewOfFile 13572->13575 13573 6cce1f28 CloseHandle 13573->13575 13574 6cce1db2 CreateFileMappingA 13574->13575 13575->13564 13575->13565 13575->13566 13575->13569 13575->13572 13575->13573 13575->13574 13576 6cce242d VirtualProtect 13575->13576 13577 6cce1922 GetCurrentProcess 13575->13577 13580 6cce2392 VirtualProtect 13575->13580 13581 6cce25d4 FindCloseChangeNotification CloseHandle CloseHandle 13575->13581 13576->13575 13605 6ccec7f0 13577->13605 13579 6cce1981 GetModuleHandleA 13579->13575 13580->13575 13581->13575 13586 6cce27c1 13582->13586 13583 6cce2b98 13584 6ccebbf0 CatchGuardHandler 5 API calls 13583->13584 13585 6cce2ba8 VirtualAllocEx 13584->13585 13585->13556 13586->13583 13587 6cce29a9 NtQueryInformationProcess 13586->13587 13588 6cce28e6 GetProcAddress 13586->13588 13587->13586 13589 6cce291f __FrameHandler3::FrameUnwindToState 13588->13589 13589->13586 13591 6cce2c5f 13590->13591 13592 6ccebbf0 CatchGuardHandler 5 API calls 13591->13592 13593 6cce2f2d 13592->13593 13593->13556 13595 6cce1026 13594->13595 13596 6ccebbf0 CatchGuardHandler 5 API calls 13595->13596 13597 6cce11ab 13596->13597 13597->13556 13599 6ccebbf8 13598->13599 13600 6ccebbf9 IsProcessorFeaturePresent 13598->13600 13599->13552 13602 6ccebf9e 13600->13602 13607 6ccebf61 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13602->13607 13604 6ccec081 13604->13552 13606 6ccec807 13605->13606 13606->13579 13606->13606 13607->13604

                              Executed Functions

                              Function 6CCE2F70 Relevance: 83.1, APIs: 24, Strings: 19, Instructions: 7813injectionmemorythreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Memory$Write$AllocVirtual$Thread$Context$CloseCreateHandleReadWindowWow64$ConsoleResumeShow
                              • String ID: CC$6C$6C$+~Zg$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$Cj $D$J_X$KV1t$KV1t$L^|%$Nw\-$WPb$X!?$kernel32.dll$ntdll.dll$$3
                              • API String ID: 2556076057-2906395385
                              • Opcode ID: 750715e48bca522da13448d6ab90ccef0275d25d942c11aea3076c14a811e0de
                              • Instruction ID: a967d439bc27645926910e6baa10210e16dd04db701c6d3b0614e3226cb9fdca
                              • Opcode Fuzzy Hash: 750715e48bca522da13448d6ab90ccef0275d25d942c11aea3076c14a811e0de
                              • Instruction Fuzzy Hash: 76E31332A013158FCB14CE2ECE947DA77F2AF4B314F144699D518A7BA1E6369E89CF04
                              Function 6CCE11E0 Relevance: 32.9, APIs: 15, Strings: 3, Instructions: 1415filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 6CCE194E
                              • GetModuleHandleA.KERNEL32 ref: 6CCE1992
                              • CreateFileMappingA.KERNEL32 ref: 6CCE1DE5
                              • CloseHandle.KERNEL32 ref: 6CCE1F31
                              • MapViewOfFile.KERNELBASE ref: 6CCE1F82
                              • VirtualProtect.KERNELBASE ref: 6CCE23B1
                              • VirtualProtect.KERNELBASE ref: 6CCE2468
                              • FindCloseChangeNotification.KERNELBASE ref: 6CCE25DD
                              • CloseHandle.KERNEL32 ref: 6CCE25EE
                              • CloseHandle.KERNEL32 ref: 6CCE2602
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$FileProtectVirtual$ChangeCreateCurrentFindMappingModuleNotificationProcessView
                              • String ID: .text$@$FSz
                              • API String ID: 997343362-2979913545
                              • Opcode ID: cb099cab42409eaf7252778c3ed72701e03a65117c74bcf6d7a5e1cf9bd03b0e
                              • Instruction ID: feb13d301d7eb3c866acac46d02f5be11536dfe148625bf7c0658ed910323d0b
                              • Opcode Fuzzy Hash: cb099cab42409eaf7252778c3ed72701e03a65117c74bcf6d7a5e1cf9bd03b0e
                              • Instruction Fuzzy Hash: 15C2EA79A1021A8FDB08CF7DC9A87DDBBF1AB4B314F108199E919EB791E2358D458F01
                              Function 00A910B0 Relevance: 18.5, Strings: 9, Instructions: 7260COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID: q*i$17.g$3k&0$4M9E$>10F$@m|$`g|$`l|$
                              • API String ID: 0-1201283588
                              • Opcode ID: 856bd49764543f22d9cde503d839970adadae2b1bff838e195e0ec6b775ba61c
                              • Instruction ID: f120ae77ee9251f28c591620b8afad2afc66b2db473be6d4335ec790b859c7d0
                              • Opcode Fuzzy Hash: 856bd49764543f22d9cde503d839970adadae2b1bff838e195e0ec6b775ba61c
                              • Instruction Fuzzy Hash: 88E30975F002299FCB64DF68C940A99B7B6EF98310F5181EA981DF7354DA35AE81CF80
                              Function 6CCE2790 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 305libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2464 6cce2790-6cce27ba GetModuleHandleW 2465 6cce27c1-6cce27cc 2464->2465 2466 6cce27d2-6cce27df 2465->2466 2467 6cce2a30-6cce2a46 2465->2467 2470 6cce2b86-6cce2b93 2466->2470 2471 6cce27e5-6cce27f2 2466->2471 2468 6cce2bf6 2467->2468 2468->2465 2470->2468 2473 6cce27f8-6cce2805 2471->2473 2474 6cce2b49-6cce2b50 2471->2474 2476 6cce280b-6cce2818 2473->2476 2477 6cce2ad0-6cce2b44 2473->2477 2474->2468 2479 6cce281e-6cce282b 2476->2479 2480 6cce2b55-6cce2b62 2476->2480 2477->2468 2482 6cce2b7a-6cce2b81 2479->2482 2483 6cce2831-6cce283e 2479->2483 2480->2468 2482->2468 2485 6cce2b67-6cce2b75 2483->2485 2486 6cce2844-6cce2851 2483->2486 2485->2468 2488 6cce293e-6cce29a4 2486->2488 2489 6cce2857-6cce2864 2486->2489 2488->2468 2491 6cce2bec-6cce2bef 2489->2491 2492 6cce286a-6cce2877 2489->2492 2491->2468 2494 6cce287d-6cce288a 2492->2494 2495 6cce2b98-6cce2bb1 call 6ccebbf0 2492->2495 2498 6cce2a4b-6cce2a58 2494->2498 2499 6cce2890-6cce289d 2494->2499 2498->2468 2502 6cce2a5d-6cce2acb 2499->2502 2503 6cce28a3-6cce28b0 2499->2503 2502->2468 2505 6cce28b6-6cce28c3 2503->2505 2506 6cce2bb2-6cce2be7 2503->2506 2508 6cce29a9-6cce2a2b NtQueryInformationProcess 2505->2508 2509 6cce28c9-6cce28d6 2505->2509 2506->2468 2508->2468 2512 6cce28dc-6cce28e1 2509->2512 2513 6cce28e6-6cce2939 GetProcAddress call 6ccec7f0 2509->2513 2512->2468 2513->2468
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: NtQueryInformationProcess$ntdll.dll
                              • API String ID: 1646373207-2906145389
                              • Opcode ID: ef308d52b1379068be231604aed869f80e082b7296a7cdbe591b42de2bdfbe5b
                              • Instruction ID: ce4818399ddf78c72ca3721d2c268eae8ab610a63edb64c9fba282ebe4321547
                              • Opcode Fuzzy Hash: ef308d52b1379068be231604aed869f80e082b7296a7cdbe591b42de2bdfbe5b
                              • Instruction Fuzzy Hash: 64B1D271A042468FDB14DFBDC9A97DEBBF5BB4B314F108219D8129BB94E3358909CB01
                              Function 00A9CBEF Relevance: 6.4, Strings: 4, Instructions: 1419COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID: $f|$$f|$piq$piq
                              • API String ID: 0-665521201
                              • Opcode ID: 5171bf3af5742e6a5f773ebe69b00cb35443d0576c5a51aa5b8c5e0f69004d77
                              • Instruction ID: 0f00ae1ae95e2babfa98a1c235afef1a33b45677c5d08a5ff275a26185a231fe
                              • Opcode Fuzzy Hash: 5171bf3af5742e6a5f773ebe69b00cb35443d0576c5a51aa5b8c5e0f69004d77
                              • Instruction Fuzzy Hash: 04C26875B406198FCB24DF69C9C4A99BBF2BF88300F1581A9E509AB361DB71ED85CF40
                              Function 00A98E10 Relevance: 1.7, Strings: 1, Instructions: 492COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2874 a98e10-a98e32 2875 a98e38-a98ec1 2874->2875 2876 a98f4a-a98f67 2874->2876 2895 a98eed-a98f24 2875->2895 2896 a98ec3-a98ec6 2875->2896 2877 a98f6d-a98fba 2876->2877 2878 a991f5-a99208 2876->2878 2877->2876 2879 a98fbc-a98fdd 2877->2879 2878->2875 2880 a9920e-a9921c 2878->2880 2879->2878 2882 a98fe3-a9909f 2879->2882 2883 a9923c-a99245 2880->2883 2884 a9921e-a99234 2880->2884 2882->2876 2902 a990a5-a990ea 2882->2902 2883->2875 2886 a9924b-a99251 2883->2886 2884->2883 2904 a98f2a-a98f35 2895->2904 2896->2895 2898 a98ec8-a98ee5 2896->2898 2898->2895 2902->2875 2903 a990f0 2902->2903 2905 a991a1-a991bc 2903->2905 2904->2883 2907 a98f3b-a98f47 2904->2907 2905->2907 2908 a991c2-a991e8 2905->2908 2907->2876 2910 a991ee 2908->2910 2911 a990f5-a99155 2908->2911 2910->2878 2912 a9915b-a99173 2911->2912 2913 a99252-a99283 2911->2913 2912->2876 2914 a99179-a9919a 2912->2914 2916 a99288-a992a3 2913->2916 2914->2905 2917 a992a9-a992d8 2916->2917 2918 a9946d-a99479 2916->2918 2920 a992de-a992ea 2917->2920 2921 a99416-a99422 2917->2921 2919 a9947f 2918->2919 2918->2920 2922 a99482-a99491 2919->2922 2924 a992f0-a9932c 2920->2924 2925 a994c6-a994d0 2920->2925 2921->2916 2923 a99428-a99437 2921->2923 2928 a99499-a9949c 2922->2928 2929 a99493-a99495 2922->2929 2923->2920 2930 a9943d 2923->2930 2926 a9936c-a9937b 2924->2926 2927 a9932e-a99330 2924->2927 2940 a99458-a99466 2925->2940 2941 a994d2-a9951b call a98c28 2925->2941 2936 a9937d-a99383 2926->2936 2937 a993ee-a99410 2926->2937 2931 a99443-a99450 2927->2931 2932 a99336-a9933e 2927->2932 2935 a994a6 2928->2935 2938 a9949e-a994a5 2928->2938 2934 a99497 2929->2934 2929->2935 2930->2931 2931->2922 2942 a99452 2931->2942 2932->2916 2939 a99344-a9935b 2932->2939 2934->2938 2947 a994ab-a994bf 2935->2947 2936->2917 2943 a99389-a993ae 2936->2943 2937->2921 2939->2916 2944 a99361-a99367 2939->2944 2946 a99468 2940->2946 2940->2947 2942->2940 2943->2937 2948 a993b0-a993b7 2943->2948 2944->2931 2947->2925 2948->2916 2949 a993bd-a993ec 2948->2949 2949->2931
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID: /&2B
                              • API String ID: 0-2423729899
                              • Opcode ID: 1f9f14dde8b6b5316f2f9bbe59dd1a90d6a6b06fa76a3b376b1d0a2927719a14
                              • Instruction ID: 9a01e2dffcb0e9075a0c1f67073183b8ec7ae3c84f43fb7b02fae9e0a2f7af2d
                              • Opcode Fuzzy Hash: 1f9f14dde8b6b5316f2f9bbe59dd1a90d6a6b06fa76a3b376b1d0a2927719a14
                              • Instruction Fuzzy Hash: 3D223A75E00209AFCF58CFAAC8946DEB7F2FF98310B14C16AD425AB255DB389A45CF50
                              Function 00A98DFF Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2992 a98dff-a98e32 2993 a98e38-a98ec1 2992->2993 2994 a98f4a-a98f67 2992->2994 3013 a98eed-a98f1a 2993->3013 3014 a98ec3-a98ec6 2993->3014 2995 a98f6d-a98fba 2994->2995 2996 a991f5-a99208 2994->2996 2995->2994 2997 a98fbc-a98fdd 2995->2997 2996->2993 2998 a9920e-a9921c 2996->2998 2997->2996 3000 a98fe3-a9909f 2997->3000 3001 a9923c-a99245 2998->3001 3002 a9921e-a99234 2998->3002 3000->2994 3020 a990a5-a990ea 3000->3020 3001->2993 3004 a9924b-a99251 3001->3004 3002->3001 3017 a98f20-a98f24 3013->3017 3014->3013 3016 a98ec8-a98ee5 3014->3016 3016->3013 3022 a98f2a-a98f35 3017->3022 3020->2993 3021 a990f0 3020->3021 3023 a991a1-a991bc 3021->3023 3022->3001 3025 a98f3b-a98f47 3022->3025 3023->3025 3026 a991c2-a991e8 3023->3026 3025->2994 3028 a991ee 3026->3028 3029 a990f5-a99155 3026->3029 3028->2996 3030 a9915b-a99173 3029->3030 3031 a99252-a99283 3029->3031 3030->2994 3032 a99179-a9919a 3030->3032 3034 a99288-a992a3 3031->3034 3032->3023 3035 a992a9-a992d8 3034->3035 3036 a9946d-a99479 3034->3036 3038 a992de-a992ea 3035->3038 3039 a99416-a99422 3035->3039 3037 a9947f 3036->3037 3036->3038 3040 a99482-a99491 3037->3040 3042 a992f0-a9932c 3038->3042 3043 a994c6-a994d0 3038->3043 3039->3034 3041 a99428-a99437 3039->3041 3046 a99499-a9949c 3040->3046 3047 a99493-a99495 3040->3047 3041->3038 3048 a9943d 3041->3048 3044 a9936c-a9937b 3042->3044 3045 a9932e-a99330 3042->3045 3058 a99458-a99466 3043->3058 3059 a994d2-a9951b call a98c28 3043->3059 3054 a9937d-a99383 3044->3054 3055 a993ee-a99410 3044->3055 3049 a99443-a99450 3045->3049 3050 a99336-a9933e 3045->3050 3053 a994a6 3046->3053 3056 a9949e-a994a5 3046->3056 3052 a99497 3047->3052 3047->3053 3048->3049 3049->3040 3060 a99452 3049->3060 3050->3034 3057 a99344-a9935b 3050->3057 3052->3056 3065 a994ab-a994bf 3053->3065 3054->3035 3061 a99389-a993ae 3054->3061 3055->3039 3057->3034 3062 a99361-a99367 3057->3062 3064 a99468 3058->3064 3058->3065 3060->3058 3061->3055 3066 a993b0-a993b7 3061->3066 3062->3049 3065->3043 3066->3034 3067 a993bd-a993ec 3066->3067 3067->3049
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID: /&2B
                              • API String ID: 0-2423729899
                              • Opcode ID: d5016a619ae6b38c05c21de595a04e2998135860351d5f035f0636cb80848934
                              • Instruction ID: 79d6b8645e98b11e243910f45d8d4078dfccc4fc9a9be81a76df25b71c673d5a
                              • Opcode Fuzzy Hash: d5016a619ae6b38c05c21de595a04e2998135860351d5f035f0636cb80848934
                              • Instruction Fuzzy Hash: 96B1E275E00209AFCB48DFAAC495A9DB7F2EF98310F14C1AAD425EB251DB389A40CF50
                              Function 00A98C50 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3074 a98c50-a98c59 3076 a98c5b-a98c71 3074->3076 3077 a98c05-a98c10 3074->3077 3078 a98c1d-a98c46 3076->3078 3079 a98c73-a98c87 3076->3079 3083 a98c89 3079->3083 3085 a98c92-a98ce2 3083->3085 3085->3083 3087 a98ce4-a98d38 3085->3087 3087->3083 3088 a98d3e-a98d8c 3087->3088 3088->3083 3089 a98d92-a98df1 3088->3089 3089->3083 3090 a98df7-a98dfe 3089->3090
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID: .%3y
                              • API String ID: 0-2191339442
                              • Opcode ID: 4cbfdcfafe754980f4aefbb12a7fae495d34aa2d355d9d77fe12e85b0fa49395
                              • Instruction ID: fd5ad66d57cabfad0c9fcc74986e13d53265998ae20c57ee9e1e8fcc8a1773a9
                              • Opcode Fuzzy Hash: 4cbfdcfafe754980f4aefbb12a7fae495d34aa2d355d9d77fe12e85b0fa49395
                              • Instruction Fuzzy Hash: 93414833F196350BC7158A6DC8A0552B7D2AB9631074A81BEDC41EBB91EA6DDC09C7D0
                              Function 00A98C80 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3091 a98c80-a98c87 3092 a98c89 3091->3092 3093 a98c92-a98ce2 3092->3093 3093->3092 3094 a98ce4-a98d38 3093->3094 3094->3092 3095 a98d3e-a98d8c 3094->3095 3095->3092 3096 a98d92-a98df1 3095->3096 3096->3092 3097 a98df7-a98dfe 3096->3097
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID: .%3y
                              • API String ID: 0-2191339442
                              • Opcode ID: c1d39bb6ea8bafcc409c87482114b950c2ec59b4710fae3e53a45006989e96fe
                              • Instruction ID: c392077123833bfd62c28689ed6313a74650d3e08474a1d133680ce82da0fcd9
                              • Opcode Fuzzy Hash: c1d39bb6ea8bafcc409c87482114b950c2ec59b4710fae3e53a45006989e96fe
                              • Instruction Fuzzy Hash: 2E314C33F109390797588A6EDC905A2F2D6A7D475034A827DDD46FBB40EE68DD09CBD0
                              Function 00A9B299 Relevance: .4, Instructions: 405COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 017b99f9e727e782db257a7a42500acb6ff55c488d8c419be81ce586a7899593
                              • Instruction ID: c8459eb8d967e2c339b61dbf9147b74288ce2c035953fe3ae7d211423b94012f
                              • Opcode Fuzzy Hash: 017b99f9e727e782db257a7a42500acb6ff55c488d8c419be81ce586a7899593
                              • Instruction Fuzzy Hash: B2C11436F201345B8F586B7C2E9827E62D7ABC9700359857DE907EB391DE28CC0543E2
                              Function 00A9A4F0 Relevance: .4, Instructions: 400COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c213f8d8703b4a9b9b805ff20e40defa0a3cf9428d1ce882d237583b855ab89
                              • Instruction ID: 70a05e9538268da09da2ea44a4315c47e19d7f3bd152b6c5f127ff443291f5af
                              • Opcode Fuzzy Hash: 9c213f8d8703b4a9b9b805ff20e40defa0a3cf9428d1ce882d237583b855ab89
                              • Instruction Fuzzy Hash: 3CE1AE35B001249F8B54EB6DD998A6D77F2BF8871075644ADE90AEB360DE34ED00CBD2
                              Function 00A9E2A0 Relevance: .3, Instructions: 309COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e3ec0efc7015b682f78b568d0d9292a9b1bf55869426d1b5a7087d6e32d75f3
                              • Instruction ID: bc25f9c557d483303b0d75ac93c0195a99b64f710f7ad9adcb31300f0513e262
                              • Opcode Fuzzy Hash: 8e3ec0efc7015b682f78b568d0d9292a9b1bf55869426d1b5a7087d6e32d75f3
                              • Instruction Fuzzy Hash: FBB14735B003098FCB14DFA9D9D4A9DB7F6AF88300B658229E505DF766DA70EC45CB40
                              Function 6CCEBD58 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2414 6ccebd58-6ccebd6b call 6ccec5b0 2417 6ccebd6d-6ccebd6f 2414->2417 2418 6ccebd71-6ccebd93 call 6ccec1a0 2414->2418 2419 6ccebdda-6ccebde9 2417->2419 2422 6ccebd95-6ccebdd8 call 6ccec26b call 6ccec127 call 6ccec583 call 6ccebded call 6ccec40c call 6ccebdfa 2418->2422 2423 6ccebe00-6ccebe19 call 6ccec43a call 6ccec5b0 2418->2423 2422->2419 2434 6ccebe2a-6ccebe31 2423->2434 2435 6ccebe1b-6ccebe21 2423->2435 2438 6ccebe3d-6ccebe51 dllmain_raw 2434->2438 2439 6ccebe33-6ccebe36 2434->2439 2435->2434 2437 6ccebe23-6ccebe25 2435->2437 2441 6ccebf03-6ccebf12 2437->2441 2444 6ccebefa-6ccebf01 2438->2444 2445 6ccebe57-6ccebe68 dllmain_crt_dispatch 2438->2445 2439->2438 2442 6ccebe38-6ccebe3b 2439->2442 2446 6ccebe6e-6ccebe80 call 6cceb450 2442->2446 2444->2441 2445->2444 2445->2446 2453 6ccebea9-6ccebeab 2446->2453 2454 6ccebe82-6ccebe84 2446->2454 2455 6ccebead-6ccebeb0 2453->2455 2456 6ccebeb2-6ccebec3 dllmain_crt_dispatch 2453->2456 2454->2453 2457 6ccebe86-6ccebea4 call 6cceb450 call 6ccebd58 dllmain_raw 2454->2457 2455->2444 2455->2456 2456->2444 2458 6ccebec5-6ccebef7 dllmain_raw 2456->2458 2457->2453 2458->2444
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6CCEBD9F
                              • ___scrt_uninitialize_crt.LIBCMT ref: 6CCEBDB9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: Initialize___scrt_uninitialize_crt
                              • String ID:
                              • API String ID: 2442719207-0
                              • Opcode ID: 8b06d34b15c7eb1bada45b6401c26d6c82d1d1567aaf3778e5094a84a502faa7
                              • Instruction ID: bb5dcf12c8e5eb5f6fd321271bac6d5fee336bbcc8df4a03365376e8b9ae0968
                              • Opcode Fuzzy Hash: 8b06d34b15c7eb1bada45b6401c26d6c82d1d1567aaf3778e5094a84a502faa7
                              • Instruction Fuzzy Hash: 8441F472E05719ABDB209F56C850BFE3A78EF8B758F114119E92567B40F73089058BE4
                              Function 6CCEBE08 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2517 6ccebe08-6ccebe19 call 6ccec5b0 2520 6ccebe2a-6ccebe31 2517->2520 2521 6ccebe1b-6ccebe21 2517->2521 2523 6ccebe3d-6ccebe51 dllmain_raw 2520->2523 2524 6ccebe33-6ccebe36 2520->2524 2521->2520 2522 6ccebe23-6ccebe25 2521->2522 2525 6ccebf03-6ccebf12 2522->2525 2527 6ccebefa-6ccebf01 2523->2527 2528 6ccebe57-6ccebe68 dllmain_crt_dispatch 2523->2528 2524->2523 2526 6ccebe38-6ccebe3b 2524->2526 2529 6ccebe6e-6ccebe80 call 6cceb450 2526->2529 2527->2525 2528->2527 2528->2529 2532 6ccebea9-6ccebeab 2529->2532 2533 6ccebe82-6ccebe84 2529->2533 2534 6ccebead-6ccebeb0 2532->2534 2535 6ccebeb2-6ccebec3 dllmain_crt_dispatch 2532->2535 2533->2532 2536 6ccebe86-6ccebea4 call 6cceb450 call 6ccebd58 dllmain_raw 2533->2536 2534->2527 2534->2535 2535->2527 2537 6ccebec5-6ccebef7 dllmain_raw 2535->2537 2536->2532 2537->2527
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: dllmain_raw$dllmain_crt_dispatch
                              • String ID:
                              • API String ID: 3136044242-0
                              • Opcode ID: 202af0fb73eef99d1412954d3d08b61596757dd8c291e0c12cc16cb1fea34ada
                              • Instruction ID: dc5ff94758542b309d2f50ade2921caa6c7f8e0d973c19bcd38dab7a23dc89ca
                              • Opcode Fuzzy Hash: 202af0fb73eef99d1412954d3d08b61596757dd8c291e0c12cc16cb1fea34ada
                              • Instruction Fuzzy Hash: 8D21D172D0171AABCB218F16CC60ABF3A78EF8BA98F014115F9196BB10F7308D018BD4
                              Function 6CCEBC51 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2811 6ccebc51-6ccebc5f call 6ccec5b0 call 6ccec29b 2815 6ccebc64-6ccebc67 2811->2815 2816 6ccebd3e 2815->2816 2817 6ccebc6d-6ccebc85 call 6ccec1a0 2815->2817 2819 6ccebd40-6ccebd4f 2816->2819 2821 6ccebc8b-6ccebc9c call 6ccec1fd 2817->2821 2822 6ccebd50-6ccebd57 call 6ccec43a 2817->2822 2827 6ccebc9e-6ccebcc0 call 6ccec557 call 6ccec11b call 6ccec13f call 6cceec27 2821->2827 2828 6ccebceb-6ccebcf9 call 6ccebd34 2821->2828 2827->2828 2847 6ccebcc2-6ccebcc9 call 6ccec1d2 2827->2847 2828->2816 2833 6ccebcfb-6ccebd05 call 6ccec434 2828->2833 2839 6ccebd26-6ccebd2f 2833->2839 2840 6ccebd07-6ccebd10 call 6ccec35b 2833->2840 2839->2819 2840->2839 2846 6ccebd12-6ccebd24 2840->2846 2846->2839 2847->2828 2851 6ccebccb-6ccebce8 call 6cceebfc 2847->2851 2851->2828
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6CCEBC9E
                                • Part of subcall function 6CCEC11B: InitializeSListHead.KERNEL32(6CD49420,6CCEBCA8,6CCFD650,00000010,6CCEBC39,?,?,?,6CCEBE61,?,00000001,?,?,00000001,?,6CCFD698), ref: 6CCEC120
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CCEBD08
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                              • String ID:
                              • API String ID: 3231365870-0
                              • Opcode ID: e020b3da3f80b70556fe2c97142c70a19b03b072b6c02f14d86d5f1ed5bdf9e9
                              • Instruction ID: 1fc95a04cf686eaea6850b6c4df45ff669cab55f35f1628223be33d183632ffe
                              • Opcode Fuzzy Hash: e020b3da3f80b70556fe2c97142c70a19b03b072b6c02f14d86d5f1ed5bdf9e9
                              • Instruction Fuzzy Hash: BB2102326093499ADF107FB5C411BFC3B60AF0F26CF20488AD665ABFC1FB210149C6A9
                              Function 6CCF228C Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2854 6ccf228c-6ccf2291 2855 6ccf2293-6ccf22ab 2854->2855 2856 6ccf22ad-6ccf22b1 2855->2856 2857 6ccf22b9-6ccf22c2 2855->2857 2856->2857 2858 6ccf22b3-6ccf22b7 2856->2858 2859 6ccf22d4 2857->2859 2860 6ccf22c4-6ccf22c7 2857->2860 2864 6ccf232e-6ccf2332 2858->2864 2863 6ccf22d6-6ccf22e3 GetStdHandle 2859->2863 2861 6ccf22c9-6ccf22ce 2860->2861 2862 6ccf22d0-6ccf22d2 2860->2862 2861->2863 2862->2863 2865 6ccf22e5-6ccf22e7 2863->2865 2866 6ccf2310-6ccf2322 2863->2866 2864->2855 2867 6ccf2338-6ccf233b 2864->2867 2865->2866 2868 6ccf22e9-6ccf22f2 GetFileType 2865->2868 2866->2864 2869 6ccf2324-6ccf2327 2866->2869 2868->2866 2870 6ccf22f4-6ccf22fd 2868->2870 2869->2864 2871 6ccf22ff-6ccf2303 2870->2871 2872 6ccf2305-6ccf2308 2870->2872 2871->2864 2872->2864 2873 6ccf230a-6ccf230e 2872->2873 2873->2864
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 6CCF22D8
                              • GetFileType.KERNELBASE(00000000), ref: 6CCF22EA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileHandleType
                              • String ID:
                              • API String ID: 3000768030-0
                              • Opcode ID: e153341aa186c48d43107fad1f5b3e858f5a5f7cf03d7a75a77a173fd31b2ffe
                              • Instruction ID: 8f5148f96d14c5fe0440de70c35e52e6a6420bf78fc9a56216a8b529a280ea2d
                              • Opcode Fuzzy Hash: e153341aa186c48d43107fad1f5b3e858f5a5f7cf03d7a75a77a173fd31b2ffe
                              • Instruction Fuzzy Hash: A011A2B160478146DB744F3F88AD622BAACBF47238B74071ED5B696DF1E270D58BC640
                              Function 00A9F228 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2956 a9f228-a9f272 2958 a9f27a-a9f2a5 LoadLibraryW 2956->2958 2959 a9f274-a9f277 2956->2959 2960 a9f2ae-a9f2cb 2958->2960 2961 a9f2a7-a9f2ad 2958->2961 2959->2958 2961->2960
                              APIs
                              • LoadLibraryW.KERNELBASE(00000000), ref: 00A9F298
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 27bb58b3b94830e099067fc84564ba969eafc1d679b54d1598ed0579d8f9999b
                              • Instruction ID: 5043238a32ed1a98ddd403003a671637d1fc9f21c5fa7429d8c4ee72056681b9
                              • Opcode Fuzzy Hash: 27bb58b3b94830e099067fc84564ba969eafc1d679b54d1598ed0579d8f9999b
                              • Instruction Fuzzy Hash: 8D1123B5D006199FCB10CF9AD944BDEFBF8FB48320F10812AE818A7250D774A944CFA1
                              Function 024503C0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2970 24503c0-245042c FindCloseChangeNotification 2972 2450435-245045d 2970->2972 2973 245042e-2450434 2970->2973 2973->2972
                              APIs
                              • FindCloseChangeNotification.KERNELBASE ref: 0245041F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144632200.0000000002450000.00000040.00000800.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2450000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 9f2831090fb7f54758b08e8dbde3af914353c4133684b5eb68ae7dc8a1689660
                              • Instruction ID: 1e8b585422993c893a38756cbf23f366a96759c48042d75917481b7adfd7b107
                              • Opcode Fuzzy Hash: 9f2831090fb7f54758b08e8dbde3af914353c4133684b5eb68ae7dc8a1689660
                              • Instruction Fuzzy Hash: 271136B58002598FCB20CF9AC944BDEBBF4EF88320F24845AD958A7351D778A944CFA5
                              Function 024503BB Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2964 24503bb-24503f9 2965 2450401-245042c FindCloseChangeNotification 2964->2965 2966 2450435-245045d 2965->2966 2967 245042e-2450434 2965->2967 2967->2966
                              APIs
                              • FindCloseChangeNotification.KERNELBASE ref: 0245041F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144632200.0000000002450000.00000040.00000800.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2450000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 070344e5b741ca731c3dd5f892dcf010d6ab87b4911e6374d2ce48e1a12fc49b
                              • Instruction ID: b4af47287db39888d699cea5212576043c5405158d703223f460b9494f5aedf7
                              • Opcode Fuzzy Hash: 070344e5b741ca731c3dd5f892dcf010d6ab87b4911e6374d2ce48e1a12fc49b
                              • Instruction Fuzzy Hash: 681158B59002598FCB20CF99C544BEEBBF4EF88320F14846AD558A3241C738A944CFA1
                              Function 6CCF06D7 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2976 6ccf06d7-6ccf06e2 2977 6ccf06e4-6ccf06ee 2976->2977 2978 6ccf06f0-6ccf06f6 2976->2978 2977->2978 2979 6ccf0724-6ccf072f call 6ccf06c4 2977->2979 2980 6ccf070f-6ccf0720 RtlAllocateHeap 2978->2980 2981 6ccf06f8-6ccf06f9 2978->2981 2986 6ccf0731-6ccf0733 2979->2986 2982 6ccf06fb-6ccf0702 call 6ccf32e8 2980->2982 2983 6ccf0722 2980->2983 2981->2980 2982->2979 2989 6ccf0704-6ccf070d call 6ccf2470 2982->2989 2983->2986 2989->2979 2989->2980
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,6CCF0185,00000001,00000364,00000000,FFFFFFFF,000000FF,?,6CCEF700,00000000,00000000), ref: 6CCF0718
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 9f47d005952b239fc70ff879df430b6b03795f54ffe72bc1de41b13c3dacf882
                              • Instruction ID: 5d24653be618f541ccd9bb52a4f3edfac76d9f753d86fecc4f19c96ff8a55113
                              • Opcode Fuzzy Hash: 9f47d005952b239fc70ff879df430b6b03795f54ffe72bc1de41b13c3dacf882
                              • Instruction Fuzzy Hash: 33F0BB312465A467AB915B274804B4B3B98AF41F68B248153EC7496D80FF70D4038ED1

                              Non-executed Functions

                              Function 6CCEC43A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CCEC446
                              • IsDebuggerPresent.KERNEL32 ref: 6CCEC512
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CCEC52B
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 6CCEC535
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                              • String ID:
                              • API String ID: 254469556-0
                              • Opcode ID: 0b4221e5a192ad9cca2da974837ae5aad61df9d8bfbce6f16af3cb46e6493752
                              • Instruction ID: 7d3b98e2a6abdb142bf668b401da12b4abdf4a4052fd207f9d459432c2c52994
                              • Opcode Fuzzy Hash: 0b4221e5a192ad9cca2da974837ae5aad61df9d8bfbce6f16af3cb46e6493752
                              • Instruction Fuzzy Hash: 8031F775D05218DBDF20EFA5D989BCDBBB8BF09304F1041AAE40DAB240EB749A85DF45
                              Function 6CCF03E7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CCF04DF
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CCF04E9
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CCF04F6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 8473ef0810b98868c2d608a1cb593066acf6554638329d6d3c98d2520d7f65bc
                              • Instruction ID: 04a74ff540e70dc538063c24e154dedb61466f2929c3b336291516aed1c92a77
                              • Opcode Fuzzy Hash: 8473ef0810b98868c2d608a1cb593066acf6554638329d6d3c98d2520d7f65bc
                              • Instruction Fuzzy Hash: 4C31D67490121CABCF61DF29D988BCDBBB8BF09714F5041DAE41CA7290E7709B858F54
                              Function 6CCEB450 Relevance: 3.0, Strings: 2, Instructions: 531COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: R=$R=
                              • API String ID: 0-311461204
                              • Opcode ID: 11241c31d3c464c849eb11d6d0e8bd3260c94e7fa265f772cc88b1595003547d
                              • Instruction ID: 635dc5922a9a2448e5baf0d9badc885e24bb48ca5102dc2f5db558784b232560
                              • Opcode Fuzzy Hash: 11241c31d3c464c849eb11d6d0e8bd3260c94e7fa265f772cc88b1595003547d
                              • Instruction Fuzzy Hash: DD02E236A446058FCF049E7DC9A57EE77F2BB4F314F109215E425FBB94E22A8805CB29
                              Function 6CCF7045 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CCF7040,?,?,00000008,?,?,6CCF6C43,00000000), ref: 6CCF7272
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: 2b5acd455b8b14a009d8c36fafe18878f5f514ab7969b25d49a6ff6c11efe70e
                              • Instruction ID: 30144a0ed22d09cb98d15dc8f2206eea6d5321d9a5b05a4cd7f509f8975a95ef
                              • Opcode Fuzzy Hash: 2b5acd455b8b14a009d8c36fafe18878f5f514ab7969b25d49a6ff6c11efe70e
                              • Instruction Fuzzy Hash: C6B16931610608DFEB45CF28C486B947BE0FF45368F258698E8B9CF6A1D735E986DB40
                              Function 6CCEC5F8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CCEC60E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-0
                              • Opcode ID: 5dd62a16efb71f5d9137d3fe822feacafb4ba6fa44ee99822c128a80a5c07f99
                              • Instruction ID: 7cd0b6d3a2d01487e60f476e1f3910159c312de686c82d25e983ee551c3333ee
                              • Opcode Fuzzy Hash: 5dd62a16efb71f5d9137d3fe822feacafb4ba6fa44ee99822c128a80a5c07f99
                              • Instruction Fuzzy Hash: 79517AB2A112058FEB04EF56D981B9EBBF8FB4E318F24856AD614EB640E375D900CF50
                              Function 6CCF0A98 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d03e6545fd883e8dbb5cad951b693fd6b1ad08e57505354fdd18cc71a67127b9
                              • Instruction ID: f6f129e0070e0d0d5a67be54d821d054bfef9e1ced8ac1fdb1527aa0b415d918
                              • Opcode Fuzzy Hash: d03e6545fd883e8dbb5cad951b693fd6b1ad08e57505354fdd18cc71a67127b9
                              • Instruction Fuzzy Hash: 2B41B4B580565DAFDB50DF69CC88AEABBB8EF45708F1442D9E429D3200EB349E85CF50
                              Function 6CCF21BB Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapProcess
                              • String ID:
                              • API String ID: 54951025-0
                              • Opcode ID: 81202ee66a3d04f28bd2ada6bcc5c9a36dd1c4c58be5ee2ba71ab97b71785a99
                              • Instruction ID: 0645286df9799c3cbcaf5b63a4165e6a649f42d579965229566a061155a6ce59
                              • Opcode Fuzzy Hash: 81202ee66a3d04f28bd2ada6bcc5c9a36dd1c4c58be5ee2ba71ab97b71785a99
                              • Instruction Fuzzy Hash: 46A011B03002008BAF808F3B830A208BAFEAA03A8030AC02AA228C0000EA2080208F02
                              Function 6CCE2C00 Relevance: .3, Instructions: 257COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3c196727885f4b5b2d9c89d5d02f51813b1872b388dc284abe932fd95dcab99
                              • Instruction ID: be193f8de1f9d3e30ccbafbf7917b3e15323c1a194154ef554d399bd0a53bd88
                              • Opcode Fuzzy Hash: f3c196727885f4b5b2d9c89d5d02f51813b1872b388dc284abe932fd95dcab99
                              • Instruction Fuzzy Hash: 1191D076A515068FDF08CE7CC9A97DE7BF2EB4B324F148215E921E7784D2399905CB10
                              Function 00A9ABB0 Relevance: .2, Instructions: 246COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5867cb6977bc13d1a19a6dbc52252d9c873c87092765593828122c3265daa356
                              • Instruction ID: 54691736d3bb72decc22bf08eaec5bec114362906654bb2f1ef3515099d7f58e
                              • Opcode Fuzzy Hash: 5867cb6977bc13d1a19a6dbc52252d9c873c87092765593828122c3265daa356
                              • Instruction Fuzzy Hash: 2281C437F116399BCB14DAA9C8446DEB7F2AB98310F59816AD815FB340EB749C06CBC1
                              Function 6CCE1000 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 003c22b02adacfae170aecfa91acbaed43997c9018f757a2b37735a19e7c23d0
                              • Instruction ID: 3c4f7ccfbd0b86e710f62795a59c50a585fda6ee9bc6815f64fb2632358c545d
                              • Opcode Fuzzy Hash: 003c22b02adacfae170aecfa91acbaed43997c9018f757a2b37735a19e7c23d0
                              • Instruction Fuzzy Hash: 37514735A041468BDF048F7EC9902DEBBF1AB8B334F24531AC921F77D1E22589169B50
                              Function 00A9F5A0 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3f3c87776bf17ee5369d2f806b8c4c3a5db4d24157caeddaaeaf8ac76d82cfd
                              • Instruction ID: 66c7f61d887077d38e28bebe7de4a9c6e69027867cb1857255af472b3319d2bc
                              • Opcode Fuzzy Hash: c3f3c87776bf17ee5369d2f806b8c4c3a5db4d24157caeddaaeaf8ac76d82cfd
                              • Instruction Fuzzy Hash: 30517F76F1012A8F9B08DFADC88559EB7F2AF9C310B0A856AD915FB350D6749C018BD0
                              Function 00A9EE53 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 527e3ca61a9bf754210fb4b3c75ae5d9d8dfd2cc4de04fcc0f23cf8696c6b6e8
                              • Instruction ID: aa5d02362902b49f3ae61a605426a517406caa8dcf85d5de11a4a86dca542f71
                              • Opcode Fuzzy Hash: 527e3ca61a9bf754210fb4b3c75ae5d9d8dfd2cc4de04fcc0f23cf8696c6b6e8
                              • Instruction Fuzzy Hash: 6D41E472F101394F8B14DAADC8446AAB7E7AB9C75070A456AE809FB351EB70CC05C7D0
                              Function 00A99530 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b0cad1c286af0c6fd3355046b7b0fdf27688a6d82e96055f40ff102443b91e3
                              • Instruction ID: 2bd00f1fa075b018b560c29d495eed1591123d00b7daea572b35712acda67c4f
                              • Opcode Fuzzy Hash: 2b0cad1c286af0c6fd3355046b7b0fdf27688a6d82e96055f40ff102443b91e3
                              • Instruction Fuzzy Hash: FA416376F2052D8B9B14CEADC8805DEF7F6BB88310B4A866AE819F7354D6349C058BD4
                              Function 00A9F878 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3999da6a5fd919d6cc7706d5045a0575a0accbdff8b836ecff5a6498aba69dad
                              • Instruction ID: 49c04f7636af3cf5d277e395049d5108794ae2c2a8b4f788da2719da9cc39a8b
                              • Opcode Fuzzy Hash: 3999da6a5fd919d6cc7706d5045a0575a0accbdff8b836ecff5a6498aba69dad
                              • Instruction Fuzzy Hash: EE31F573F112354FD728CA5DDC844AAF7E2AB9836070B86AAEC59FB351D6749C0587C0
                              Function 00A9B0F0 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2144415553.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a90000_BqDa1EBEUK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 239d87cc83d926b8ff4004736e1f14fb3721b8773f336237f38bad285b4735af
                              • Instruction ID: 26d8d2f9492238059731bdbce5f47a39e3e57b12439da9dc95989903ce6147b9
                              • Opcode Fuzzy Hash: 239d87cc83d926b8ff4004736e1f14fb3721b8773f336237f38bad285b4735af
                              • Instruction Fuzzy Hash: C131E637F105384B9764CA6ED8444ABF2E7ABC822071B8276E91DFB754D6319C058BD0
                              Function 6CCEDE7A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 6CCEDF99
                              • ___TypeMatch.LIBVCRUNTIME ref: 6CCEE0A7
                              • _UnwindNestedFrames.LIBCMT ref: 6CCEE1F9
                              • CallUnexpected.LIBVCRUNTIME ref: 6CCEE214
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                              • String ID: csm$csm$csm
                              • API String ID: 2751267872-393685449
                              • Opcode ID: 4adab088eaa402b982431cdbb53080e813e616da3f1e1a86bc5cc1c91ea53f57
                              • Instruction ID: 59b521058413c2025f94919877a7575c07bc2651b21dde1d2273c56014e6433b
                              • Opcode Fuzzy Hash: 4adab088eaa402b982431cdbb53080e813e616da3f1e1a86bc5cc1c91ea53f57
                              • Instruction Fuzzy Hash: 27B17B31800209EFCF15CFA5C84099EB7B5FF4A358B14466EE814ABB12E335EA55CBD1
                              Function 6CCECF20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6CCECF57
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CCECF5F
                              • _ValidateLocalCookies.LIBCMT ref: 6CCECFE8
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CCED013
                              • _ValidateLocalCookies.LIBCMT ref: 6CCED068
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: e24df22e3372eacb634554e0fdf4bf5c89c617bd1023fdaf079aca898ca1e467
                              • Instruction ID: 4a6ad7fa8cf5596bb9185c7d040006360e52322b0e38a83b419e933bf1254968
                              • Opcode Fuzzy Hash: e24df22e3372eacb634554e0fdf4bf5c89c617bd1023fdaf079aca898ca1e467
                              • Instruction Fuzzy Hash: B7418434A001599BCF00DF69C880A9EBFB5BF4B31CF148556E924ABB51E731E916CB91
                              Function 6CCF1DEA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(00000000,?,6CCF1EF9,00000000,6CCEF700,00000000,00000000,00000001,?,6CCF2072,00000022,FlsSetValue,6CCF9898,6CCF98A0,00000000), ref: 6CCF1EAB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeLibrary
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3664257935-537541572
                              • Opcode ID: fba30a30ccf14950e04224cee28b79bbe3eb771a1f34bfe519bcc389ef13b09b
                              • Instruction ID: dec201f547d40b7581b3cc24d336956eaf62a75cf56d014187e3e952542a72d0
                              • Opcode Fuzzy Hash: fba30a30ccf14950e04224cee28b79bbe3eb771a1f34bfe519bcc389ef13b09b
                              • Instruction Fuzzy Hash: 0621D871B01510ABEB619F2AEC48E8A37799F477BCB250211ED35A7680F730E903C6D0
                              Function 6CCED4CC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000001,?,6CCED101,6CCEC210,6CCEBC29,?,6CCEBE61,?,00000001,?,?,00000001,?,6CCFD698,0000000C,6CCEBF5A), ref: 6CCED4DA
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CCED4E8
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CCED501
                              • SetLastError.KERNEL32(00000000,6CCEBE61,?,00000001,?,?,00000001,?,6CCFD698,0000000C,6CCEBF5A,?,00000001,?), ref: 6CCED553
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 831ff0b6780d1d3ec00b90d0236512eb17812186cab490b9368f9c84eab93710
                              • Instruction ID: 5ae631d78c76928f48c8f3a754e31a29c0c1c94e6da505281ca48a9634098949
                              • Opcode Fuzzy Hash: 831ff0b6780d1d3ec00b90d0236512eb17812186cab490b9368f9c84eab93710
                              • Instruction Fuzzy Hash: 7701287220F3191DF7003AB67C8095A27B8EB8B3BC364432BE721A1AD0FF514805D284
                              Function 6CCF101E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                              Download Yara Rule
                              Strings
                              • C:\Users\user\Desktop\BqDa1EBEUK.exe, xrefs: 6CCF103A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: C:\Users\user\Desktop\BqDa1EBEUK.exe
                              • API String ID: 0-300258628
                              • Opcode ID: ba3c01ad28f180655e531b84cb23638facc7ac57ec492574b32f9075bef843f9
                              • Instruction ID: 3ab993a132d705bf2d1552a24e9274779a406f785a239e65e9785979d21b5000
                              • Opcode Fuzzy Hash: ba3c01ad28f180655e531b84cb23638facc7ac57ec492574b32f9075bef843f9
                              • Instruction Fuzzy Hash: 3C219FB1204285AF9B909F6BC850E9BB7B9BF4136C7048619E938D7A50FB31E8039760
                              Function 6CCEF02E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,19A9C771,00000000,?,00000000,6CCF7942,000000FF,?,6CCEEFC8,?,?,6CCEEF9C,?), ref: 6CCEF063
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CCEF075
                              • FreeLibrary.KERNEL32(00000000,?,00000000,6CCF7942,000000FF,?,6CCEEFC8,?,?,6CCEEF9C,?), ref: 6CCEF097
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 0faabd756dbc98e823a2d96b137b5ab51e78f0ff6016bef169892630da86c0c0
                              • Instruction ID: 32af088f5216d49c2c588b7a6ad814e75df9653fe9448a3b9980628f9dcb99a8
                              • Opcode Fuzzy Hash: 0faabd756dbc98e823a2d96b137b5ab51e78f0ff6016bef169892630da86c0c0
                              • Instruction Fuzzy Hash: F301A231A00659EFDF119F91DC04FAEBBB8FF0A754F004626E831E2680EB759901CA90
                              Function 6CCF3AA5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                              Download Yara Rule
                              APIs
                              • __alloca_probe_16.LIBCMT ref: 6CCF3B2A
                              • __alloca_probe_16.LIBCMT ref: 6CCF3BF3
                              • __freea.LIBCMT ref: 6CCF3C5A
                                • Part of subcall function 6CCF2C4A: HeapAlloc.KERNEL32(00000000,6CCF1597,6CCF2964,?,6CCF1597,00000220,?,?,6CCF2964), ref: 6CCF2C7C
                              • __freea.LIBCMT ref: 6CCF3C6D
                              • __freea.LIBCMT ref: 6CCF3C7A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$__alloca_probe_16$AllocHeap
                              • String ID:
                              • API String ID: 1096550386-0
                              • Opcode ID: 51bb70f00b618d9ce64296326005a4cd31ab04c3e2fa63f5158be1d8dc509331
                              • Instruction ID: 76da8229ec74a8d123856364a38a827276900a122772a49af583d36830ccd118
                              • Opcode Fuzzy Hash: 51bb70f00b618d9ce64296326005a4cd31ab04c3e2fa63f5158be1d8dc509331
                              • Instruction Fuzzy Hash: 3851D572A4124ABFEB404F66CC94EFB36A9EF44718F294228FD24D7A50F735C852C661
                              Function 6CCEDAA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CCEDA53,00000000,?,00000001,?,?,?,6CCEDB42,00000001,FlsFree,6CCF8F70,FlsFree), ref: 6CCEDAAF
                              • GetLastError.KERNEL32(?,6CCEDA53,00000000,?,00000001,?,?,?,6CCEDB42,00000001,FlsFree,6CCF8F70,FlsFree,00000000,?,6CCED5A1), ref: 6CCEDAB9
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CCEDAE1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID: api-ms-
                              • API String ID: 3177248105-2084034818
                              • Opcode ID: 655c34e787cd56ffbfc3fe62d599a4d94f447881fddd417862d5ad13e915552f
                              • Instruction ID: 0fe6ba59aa761507e90125ecdb8026e71f0d78e2b4e2565b2e3288943d206358
                              • Opcode Fuzzy Hash: 655c34e787cd56ffbfc3fe62d599a4d94f447881fddd417862d5ad13e915552f
                              • Instruction Fuzzy Hash: C9E01A30748205BBEF101BA2EC05F4A3B76AF47F48F604022FE1CE8991E76196929A95
                              Function 6CCF41B2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleOutputCP.KERNEL32(19A9C771,00000000,00000000,?), ref: 6CCF4215
                                • Part of subcall function 6CCF1BEC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CCF3C50,?,00000000,-00000008), ref: 6CCF1C4D
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CCF4467
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CCF44AD
                              • GetLastError.KERNEL32 ref: 6CCF4550
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                              • String ID:
                              • API String ID: 2112829910-0
                              • Opcode ID: 281758eeebacbad4227bd6b374dafb861895422748ef69091d19ebdfa4a889d3
                              • Instruction ID: 7990323771542902a8c1c9960b646e590b30ac557da9467f7343121918b10816
                              • Opcode Fuzzy Hash: 281758eeebacbad4227bd6b374dafb861895422748ef69091d19ebdfa4a889d3
                              • Instruction Fuzzy Hash: DDD17B75E002589FDF01DFE8C980AEDBBB9FF09318F24452AE565EB741E630A946CB50
                              Function 6CCEDC23 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: 6c8805e3e553558f9d2c83b5bf113ded53c86ad276e2ca17fc58ef4314aac15f
                              • Instruction ID: 8f7f432037d259cc70daed61872365a5a316c83001a4f4ed493971be0b4c4dac
                              • Opcode Fuzzy Hash: 6c8805e3e553558f9d2c83b5bf113ded53c86ad276e2ca17fc58ef4314aac15f
                              • Instruction Fuzzy Hash: 7451F471A05606DFDB158F15C840BAA77B4FF8F318F20456DD91587A90F731EA81C7A0
                              Function 6CCF0838 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6CCF1BEC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CCF3C50,?,00000000,-00000008), ref: 6CCF1C4D
                              • GetLastError.KERNEL32 ref: 6CCF089C
                              • __dosmaperr.LIBCMT ref: 6CCF08A3
                              • GetLastError.KERNEL32(?,?,?,?), ref: 6CCF08DD
                              • __dosmaperr.LIBCMT ref: 6CCF08E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                              • String ID:
                              • API String ID: 1913693674-0
                              • Opcode ID: 4d3ccbcd2780fb4994f613e16251175c5da2b6995d9631ffb8d0b103c87d7016
                              • Instruction ID: be975b10f0166a6943eebe153bba76b22df914c4ce4324c57804bd50001e8199
                              • Opcode Fuzzy Hash: 4d3ccbcd2780fb4994f613e16251175c5da2b6995d9631ffb8d0b103c87d7016
                              • Instruction Fuzzy Hash: 7A21F571604389AFDB908F76884089AB7B9FF45B297048529E87997A40FF30EC438BD0
                              Function 6CCF1C8F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 6CCF1C97
                                • Part of subcall function 6CCF1BEC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CCF3C50,?,00000000,-00000008), ref: 6CCF1C4D
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CCF1CCF
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CCF1CEF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                              • String ID:
                              • API String ID: 158306478-0
                              • Opcode ID: 77256facea74daff51804823373c831402b11e6eb3fd125458c131d83e344efc
                              • Instruction ID: 451534fa840a6c18a8935c9194de571a46c5be20a95490fe217ce4bdb4500e76
                              • Opcode Fuzzy Hash: 77256facea74daff51804823373c831402b11e6eb3fd125458c131d83e344efc
                              • Instruction Fuzzy Hash: 931104F5A06159BFAB4217BB5C98CAF6E7CDF4A2983100556F831D1600FB30DD0785B0
                              Function 6CCF5B36 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CCF52E8,00000000,00000001,00000000,?,?,6CCF45A4,?,00000000,00000000), ref: 6CCF5B4D
                              • GetLastError.KERNEL32(?,6CCF52E8,00000000,00000001,00000000,?,?,6CCF45A4,?,00000000,00000000,?,?,?,6CCF4B47,00000000), ref: 6CCF5B59
                                • Part of subcall function 6CCF5B1F: CloseHandle.KERNEL32(FFFFFFFE,6CCF5B69,?,6CCF52E8,00000000,00000001,00000000,?,?,6CCF45A4,?,00000000,00000000,?,?), ref: 6CCF5B2F
                              • ___initconout.LIBCMT ref: 6CCF5B69
                                • Part of subcall function 6CCF5AE1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CCF5B10,6CCF52D5,?,?,6CCF45A4,?,00000000,00000000,?), ref: 6CCF5AF4
                              • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CCF52E8,00000000,00000001,00000000,?,?,6CCF45A4,?,00000000,00000000,?), ref: 6CCF5B7E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: c1f1c4f59dc94d43b0deb5a0c0c36235178a9a22291ef6407a31911691415800
                              • Instruction ID: dfa3d774390e71bd0042cf71b5740fe907c53177f3cae2fb6b52c15db1c01a43
                              • Opcode Fuzzy Hash: c1f1c4f59dc94d43b0deb5a0c0c36235178a9a22291ef6407a31911691415800
                              • Instruction Fuzzy Hash: D9F0A236600114BBCF521FE6DC08E893F76FF06375F458111FB2995520D6328822DB94
                              Function 6CCEE21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • EncodePointer.KERNEL32(00000000,?), ref: 6CCEE244
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2145142829.000000006CCE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CCE0000, based on PE: true
                              • Associated: 00000000.00000002.2145124579.000000006CCE0000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145180993.000000006CCF8000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CCFF000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145213688.000000006CD31000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000000.00000002.2145623874.000000006CD4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cce0000_BqDa1EBEUK.jbxd
                              Yara matches
                              Similarity
                              • API ID: EncodePointer
                              • String ID: MOC$RCC
                              • API String ID: 2118026453-2084237596
                              • Opcode ID: 419b471a021fbeaad6608e04bcbd4fbfdaee6bdbb13bc41010f670295861d26e
                              • Instruction ID: 9906d269fb13b94d12557b47b154286b6ce18b34f212f7d6f12d4fc2fedbc50c
                              • Opcode Fuzzy Hash: 419b471a021fbeaad6608e04bcbd4fbfdaee6bdbb13bc41010f670295861d26e
                              • Instruction Fuzzy Hash: B5413972900209AFCF06CF94CC80EEE7BB5FF4A348F188159F91867660E3359951DB91

                              Execution Graph

                              Execution Coverage:16.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:3.1%
                              Total number of Nodes:130
                              Total number of Limit Nodes:13
                              execution_graph 37285 5b47644 37286 5b47612 37285->37286 37287 5b47677 37286->37287 37290 5b4d350 37286->37290 37299 5b4d340 37286->37299 37291 5b4d377 37290->37291 37292 5b4d3e7 37291->37292 37308 5b4f3ae 37291->37308 37312 5b4e970 37291->37312 37316 5b4ded0 37291->37316 37320 5b4deb0 37291->37320 37324 5b4ec1b 37291->37324 37328 5b4f2cf 37291->37328 37292->37286 37300 5b4d377 37299->37300 37301 5b4d3e7 37300->37301 37302 5b4deb0 LdrInitializeThunk 37300->37302 37303 5b4ded0 LdrInitializeThunk 37300->37303 37304 5b4e970 LdrInitializeThunk 37300->37304 37305 5b4f3ae LdrInitializeThunk 37300->37305 37306 5b4f2cf LdrInitializeThunk 37300->37306 37307 5b4ec1b LdrInitializeThunk 37300->37307 37301->37286 37302->37301 37303->37301 37304->37301 37305->37301 37306->37301 37307->37301 37309 5b4f398 37308->37309 37311 5b4e030 37308->37311 37310 5b4e84b LdrInitializeThunk 37310->37311 37311->37309 37311->37310 37313 5b4e030 37312->37313 37314 5b4f398 37313->37314 37315 5b4e84b LdrInitializeThunk 37313->37315 37315->37313 37319 5b4defd 37316->37319 37317 5b4f398 37318 5b4e84b LdrInitializeThunk 37318->37319 37319->37317 37319->37318 37323 5b4deb5 37320->37323 37321 5b4f398 37322 5b4e84b LdrInitializeThunk 37322->37323 37323->37321 37323->37322 37326 5b4e030 37324->37326 37325 5b4f398 37326->37325 37327 5b4e84b LdrInitializeThunk 37326->37327 37327->37326 37331 5b4e030 37328->37331 37329 5b4f398 37330 5b4e84b LdrInitializeThunk 37330->37331 37331->37329 37331->37330 37220 71b4119 37221 71b40b4 37220->37221 37223 71b4122 37220->37223 37226 71b51a9 37221->37226 37230 71b51b8 37221->37230 37222 71b40d5 37227 71b5200 37226->37227 37228 71b5209 37227->37228 37234 71b4d80 37227->37234 37228->37222 37231 71b5200 37230->37231 37232 71b5209 37231->37232 37233 71b4d80 LoadLibraryW 37231->37233 37232->37222 37233->37232 37235 71b5300 LoadLibraryW 37234->37235 37237 71b5375 37235->37237 37237->37228 37238 12c4668 37239 12c4684 37238->37239 37240 12c4696 37239->37240 37242 12c47b1 37239->37242 37243 12c47c5 37242->37243 37246 12c48b0 37243->37246 37248 12c48d7 37246->37248 37247 12c49b4 37248->37247 37250 12c4248 37248->37250 37251 12c5940 CreateActCtxA 37250->37251 37253 12c5a03 37251->37253 37258 12cad38 37261 12cae30 37258->37261 37259 12cad47 37262 12cae41 37261->37262 37263 12cae5c 37261->37263 37262->37263 37265 12cb0c8 37262->37265 37263->37259 37266 12cb0dc 37265->37266 37268 12cb101 37266->37268 37269 12ca870 37266->37269 37268->37263 37270 12cb2a8 LoadLibraryExW 37269->37270 37272 12cb321 37270->37272 37272->37268 37273 12cd0b8 37274 12cd0fe GetCurrentProcess 37273->37274 37276 12cd150 GetCurrentThread 37274->37276 37279 12cd149 37274->37279 37277 12cd18d GetCurrentProcess 37276->37277 37278 12cd186 37276->37278 37280 12cd1c3 37277->37280 37278->37277 37279->37276 37281 12cd1eb GetCurrentThreadId 37280->37281 37282 12cd21c 37281->37282 37254 12cb020 37255 12cb068 GetModuleHandleW 37254->37255 37256 12cb062 37254->37256 37257 12cb095 37255->37257 37256->37255 37283 12cd300 DuplicateHandle 37284 12cd396 37283->37284 37332 5b46fc8 37333 5b46fef 37332->37333 37340 5b47066 37333->37340 37346 5b47068 37333->37346 37334 5b47001 37352 5b47240 37334->37352 37360 5b472b2 37334->37360 37335 5b47038 37341 5b47068 37340->37341 37368 5b466b0 37341->37368 37345 5b470e1 37345->37334 37347 5b470a1 37346->37347 37348 5b466b0 OleInitialize 37347->37348 37349 5b470aa GetKeyboardLayout 37348->37349 37351 5b470e1 37349->37351 37351->37334 37353 5b4725c 37352->37353 37375 5b47410 37353->37375 37379 5b473ff 37353->37379 37354 5b47326 37358 5b47410 LdrInitializeThunk 37354->37358 37359 5b473ff LdrInitializeThunk 37354->37359 37355 5b4738e 37355->37335 37358->37355 37359->37355 37361 5b472c5 37360->37361 37366 5b47410 LdrInitializeThunk 37361->37366 37367 5b473ff LdrInitializeThunk 37361->37367 37362 5b47326 37364 5b47410 LdrInitializeThunk 37362->37364 37365 5b473ff LdrInitializeThunk 37362->37365 37363 5b4738e 37363->37335 37364->37363 37365->37363 37366->37362 37367->37362 37369 5b466bb 37368->37369 37371 5b470aa GetKeyboardLayout 37369->37371 37372 5b466c0 37369->37372 37371->37345 37373 5b47168 OleInitialize 37372->37373 37374 5b471cc 37373->37374 37374->37371 37376 5b47437 37375->37376 37377 5b47467 37376->37377 37378 5b4746f LdrInitializeThunk 37376->37378 37377->37354 37378->37377 37380 5b47410 37379->37380 37381 5b4746f LdrInitializeThunk 37380->37381 37382 5b47467 37380->37382 37381->37382 37382->37354

                              Executed Functions

                              Function 05B48398 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 996 5b48398-5b483b8 997 5b483bf-5b48488 call 5b4309c 996->997 998 5b483ba 996->998 1008 5b4876a-5b48773 997->1008 998->997 1009 5b4848d-5b48496 1008->1009 1010 5b48779-5b48794 1008->1010 1012 5b4849d-5b484c1 1009->1012 1013 5b48498 1009->1013 1014 5b48796-5b4879f 1010->1014 1015 5b487a0 1010->1015 1018 5b484c3-5b484cc 1012->1018 1019 5b484ce-5b48513 1012->1019 1013->1012 1014->1015 1017 5b487a1 1015->1017 1017->1017 1021 5b48524-5b4852b 1018->1021 1047 5b4851e 1019->1047 1022 5b48555 1021->1022 1023 5b4852d-5b48539 1021->1023 1027 5b4855b-5b48562 1022->1027 1025 5b48543-5b48549 1023->1025 1026 5b4853b-5b48541 1023->1026 1028 5b48553 1025->1028 1026->1028 1029 5b48564-5b4856d 1027->1029 1030 5b4856f-5b485c3 1027->1030 1028->1027 1032 5b485d4-5b485db 1029->1032 1054 5b485ce 1030->1054 1033 5b48605 1032->1033 1034 5b485dd-5b485e9 1032->1034 1039 5b4860b-5b4861d 1033->1039 1037 5b485f3-5b485f9 1034->1037 1038 5b485eb-5b485f1 1034->1038 1040 5b48603 1037->1040 1038->1040 1044 5b4861f-5b48638 1039->1044 1045 5b4863a-5b4863c 1039->1045 1040->1039 1048 5b4863f-5b4864a 1044->1048 1045->1048 1047->1021 1051 5b48720-5b4873b 1048->1051 1052 5b48650-5b486fa 1048->1052 1056 5b48747 1051->1056 1057 5b4873d-5b48746 1051->1057 1065 5b48705-5b4871f 1052->1065 1054->1032 1056->1008 1057->1056 1065->1051
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: $eq$$eq$$eq$$eq
                              • API String ID: 0-812946093
                              • Opcode ID: 5b4ef5ae83ce101dba8fed0ecb9c5eb5cf83834823ae7985363087841943733d
                              • Instruction ID: 56cc78393d281c6a7779791928bf115b2224fc0d97039f582e26c497e93168c2
                              • Opcode Fuzzy Hash: 5b4ef5ae83ce101dba8fed0ecb9c5eb5cf83834823ae7985363087841943733d
                              • Instruction Fuzzy Hash: 9CC1C774E01218CFDB64DFA9C9947AEBBB2FF49300F5081A9D409AB254DB34AE85DF50
                              Function 05B4DED0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1088COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1067 5b4ded0-5b4defb 1068 5b4df02-5b4df9e 1067->1068 1069 5b4defd 1067->1069 1072 5b4dff0-5b4e02b 1068->1072 1073 5b4dfa0-5b4dfea 1068->1073 1069->1068 1078 5b4f379-5b4f392 1072->1078 1073->1072 1081 5b4e030-5b4e1bf call 5b49ad8 1078->1081 1082 5b4f398-5b4f3be 1078->1082 1101 5b4f331-5b4f34b 1081->1101 1084 5b4f3c0-5b4f3cc 1082->1084 1085 5b4f3cd 1082->1085 1084->1085 1088 5b4f3ce 1085->1088 1088->1088 1103 5b4e1c4-5b4e308 call 5b430f0 call 5b43100 1101->1103 1104 5b4f351-5b4f375 1101->1104 1122 5b4e30a-5b4e336 1103->1122 1123 5b4e33b-5b4e382 1103->1123 1104->1078 1126 5b4e3c9-5b4e580 call 5b4ae60 1122->1126 1128 5b4e384-5b4e3a5 call 5b4ac70 1123->1128 1129 5b4e3a7-5b4e3b6 1123->1129 1153 5b4e5d2-5b4e5dd 1126->1153 1154 5b4e582-5b4e5cc 1126->1154 1135 5b4e3bc-5b4e3c8 1128->1135 1129->1135 1135->1126 1315 5b4e5e3 call 5b4f4e8 1153->1315 1316 5b4e5e3 call 5b4f4d8 1153->1316 1154->1153 1155 5b4e5e9-5b4e64d 1161 5b4e69f-5b4e6aa 1155->1161 1162 5b4e64f-5b4e699 1155->1162 1311 5b4e6b0 call 5b4f4e8 1161->1311 1312 5b4e6b0 call 5b4f4d8 1161->1312 1162->1161 1163 5b4e6b6-5b4e719 1169 5b4e76b-5b4e776 1163->1169 1170 5b4e71b-5b4e765 1163->1170 1323 5b4e77c call 5b4f4e8 1169->1323 1324 5b4e77c call 5b4f4d8 1169->1324 1170->1169 1171 5b4e782-5b4e7bb 1175 5b4ec34-5b4ecbb 1171->1175 1176 5b4e7c1-5b4e824 1171->1176 1187 5b4ecbd-5b4ed13 1175->1187 1188 5b4ed19-5b4ed24 1175->1188 1184 5b4e826 1176->1184 1185 5b4e82b-5b4e87d LdrInitializeThunk call 5b4db5c 1176->1185 1184->1185 1195 5b4e882-5b4e9aa call 5b4cae8 call 5b4d8e0 call 5b4bcb4 call 5b4bcc4 1185->1195 1187->1188 1313 5b4ed2a call 5b4f4e8 1188->1313 1314 5b4ed2a call 5b4f4d8 1188->1314 1191 5b4ed30-5b4edbd 1206 5b4edbf-5b4ee15 1191->1206 1207 5b4ee1b-5b4ee26 1191->1207 1229 5b4ec17-5b4ec33 1195->1229 1230 5b4e9b0-5b4ea02 1195->1230 1206->1207 1321 5b4ee2c call 5b4f4e8 1207->1321 1322 5b4ee2c call 5b4f4d8 1207->1322 1210 5b4ee32-5b4eeaa 1222 5b4eeac-5b4ef02 1210->1222 1223 5b4ef08-5b4ef13 1210->1223 1222->1223 1319 5b4ef19 call 5b4f4e8 1223->1319 1320 5b4ef19 call 5b4f4d8 1223->1320 1226 5b4ef1f-5b4ef8b 1240 5b4efdd-5b4efe8 1226->1240 1241 5b4ef8d-5b4efd7 1226->1241 1229->1175 1238 5b4ea54-5b4eacf 1230->1238 1239 5b4ea04-5b4ea4e 1230->1239 1254 5b4eb21-5b4eb9b 1238->1254 1255 5b4ead1-5b4eb1b 1238->1255 1239->1238 1317 5b4efee call 5b4f4e8 1240->1317 1318 5b4efee call 5b4f4d8 1240->1318 1241->1240 1244 5b4eff4-5b4f01b 1253 5b4f025-5b4f039 1244->1253 1256 5b4f16f-5b4f318 1253->1256 1257 5b4f03f-5b4f16e 1253->1257 1271 5b4ebed-5b4ec16 1254->1271 1272 5b4eb9d-5b4ebe7 1254->1272 1255->1254 1308 5b4f330 1256->1308 1309 5b4f31a-5b4f32f 1256->1309 1257->1256 1271->1229 1272->1271 1308->1101 1309->1308 1311->1163 1312->1163 1313->1191 1314->1191 1315->1155 1316->1155 1317->1244 1318->1244 1319->1226 1320->1226 1321->1210 1322->1210 1323->1171 1324->1171
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;=
                              • API String ID: 0-2162898869
                              • Opcode ID: 6b47d14d940ab80e924f7c566d7d51b4fc7455c46ff8fa45ec2202dfdf9976a5
                              • Instruction ID: f173a18c99b8673c90e1a2b97c55828227d7a735fcbe14c814b5fc8b974c0cbe
                              • Opcode Fuzzy Hash: 6b47d14d940ab80e924f7c566d7d51b4fc7455c46ff8fa45ec2202dfdf9976a5
                              • Instruction Fuzzy Hash: A7C2A174A112298FCBA5DF24D998BADBBB6FB49300F1085E9D409A7354DB34AE85CF40
                              Function 05B4F660 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1560 5b4f660-5b4f692 1561 5b4f694 1560->1561 1562 5b4f699-5b4f765 1560->1562 1561->1562 1567 5b4f767-5b4f775 1562->1567 1568 5b4f77a 1562->1568 1569 5b4fc28-5b4fc35 1567->1569 1633 5b4f780 call 71b0221 1568->1633 1634 5b4f780 call 71b02d0 1568->1634 1635 5b4f780 call 71b0316 1568->1635 1636 5b4f780 call 71b03a6 1568->1636 1570 5b4f786-5b4f7af 1637 5b4f7b5 call 71bca08 1570->1637 1638 5b4f7b5 call 71bc9f8 1570->1638 1572 5b4f7bb-5b4f824 1631 5b4f826 call 71bee19 1572->1631 1632 5b4f826 call 71bee28 1572->1632 1577 5b4f82c-5b4f836 1578 5b4fbb7-5b4fbe1 1577->1578 1580 5b4fbe7-5b4fc26 1578->1580 1581 5b4f83b-5b4fa51 1578->1581 1580->1569 1608 5b4fa5d-5b4faa7 1581->1608 1611 5b4faaf-5b4fab1 1608->1611 1612 5b4faa9 1608->1612 1615 5b4fab8-5b4fabf 1611->1615 1613 5b4fab3 1612->1613 1614 5b4faab-5b4faad 1612->1614 1613->1615 1614->1611 1614->1613 1616 5b4fac1-5b4fb38 1615->1616 1617 5b4fb39-5b4fb5f 1615->1617 1616->1617 1619 5b4fb61-5b4fb6a 1617->1619 1620 5b4fb6c-5b4fb78 1617->1620 1622 5b4fb7e-5b4fb9d 1619->1622 1620->1622 1627 5b4fbb3-5b4fbb4 1622->1627 1628 5b4fb9f-5b4fbb2 1622->1628 1627->1578 1628->1627 1631->1577 1632->1577 1633->1570 1634->1570 1635->1570 1636->1570 1637->1572 1638->1572
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: .$1
                              • API String ID: 0-1839485796
                              • Opcode ID: 937f1eb93973502d1597d884fe6c53dedd87c6475361f8a23083121b67f5abf3
                              • Instruction ID: 43a1e8f862db709753c9a136e1ecdb2675a4f670819f44b995f58d75286b9cb0
                              • Opcode Fuzzy Hash: 937f1eb93973502d1597d884fe6c53dedd87c6475361f8a23083121b67f5abf3
                              • Instruction Fuzzy Hash: 75F1DD74E01228CFDB28DF65C954BADBBB2BF89301F5091A9D50AA7394DB316E81CF50
                              Function 05B47410 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: d874df4e8dbe19be2154d28ffa5a7dfbd3411c970dbd986d24cb700166b11ee6
                              • Instruction ID: e08f4802cdd3bdbd8e848459c5b3979b359ac2532209f4f4bc056335122b8a53
                              • Opcode Fuzzy Hash: d874df4e8dbe19be2154d28ffa5a7dfbd3411c970dbd986d24cb700166b11ee6
                              • Instruction Fuzzy Hash: A7219F74E01218AFCF18DFA9E484AEDBBB2FB89310F10916AE515B7360DB346845CF64
                              Function 05B4CAE8 Relevance: .4, Instructions: 426COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dfaf99e3a32363e33df35c80cd3c219712f0aec115af43c2cb810ed4c511bd88
                              • Instruction ID: 5f5b57554fb0f7060cc15673115008742d7e6664fb87bcc655c40ebf3e70be98
                              • Opcode Fuzzy Hash: dfaf99e3a32363e33df35c80cd3c219712f0aec115af43c2cb810ed4c511bd88
                              • Instruction Fuzzy Hash: 9D229E74E01229CFDB65DF69C990BD9BBB2BF49300F1085EAD509A7250EB346E85CF80
                              Function 05B4D490 Relevance: .2, Instructions: 190COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d54c4d1bd5b73f58b504681359b1cf37eb12d37663831ac68ef0bcd53f4adc51
                              • Instruction ID: 8aaa13d675ed24fc8e7ca37db838c163b092c7bacc2ab8d55d5eb2da4e4cb69e
                              • Opcode Fuzzy Hash: d54c4d1bd5b73f58b504681359b1cf37eb12d37663831ac68ef0bcd53f4adc51
                              • Instruction Fuzzy Hash: 6491E074E01229CFDB64DFA9C994B9DBBB2BF49300F1081A9D509A7355DB30AA85CF40
                              Function 012CD0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 949 12cd0a8-12cd147 GetCurrentProcess 954 12cd149-12cd14f 949->954 955 12cd150-12cd184 GetCurrentThread 949->955 954->955 956 12cd18d-12cd1c1 GetCurrentProcess 955->956 957 12cd186-12cd18c 955->957 959 12cd1ca-12cd1e2 956->959 960 12cd1c3-12cd1c9 956->960 957->956 971 12cd1e5 call 12cd289 959->971 972 12cd1e5 call 12cd299 959->972 960->959 963 12cd1eb-12cd21a GetCurrentThreadId 964 12cd21c-12cd222 963->964 965 12cd223-12cd285 963->965 964->965 971->963 972->963
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 012CD136
                              • GetCurrentThread.KERNEL32 ref: 012CD173
                              • GetCurrentProcess.KERNEL32 ref: 012CD1B0
                              • GetCurrentThreadId.KERNEL32 ref: 012CD209
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: a2165edf9493cd1d73a7af64f7e5adf8a7e15c8bf536a274d18c2e871c961e28
                              • Instruction ID: 5601c2b41a88b74c5954708c076d5f8af658a315859dad30a26afc069f950143
                              • Opcode Fuzzy Hash: a2165edf9493cd1d73a7af64f7e5adf8a7e15c8bf536a274d18c2e871c961e28
                              • Instruction Fuzzy Hash: 855189B09003498FDB15CFAAD948B9EBFF5EF88310F24846DE119A7361D7746844CB65
                              Function 012CD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 973 12cd0b8-12cd147 GetCurrentProcess 977 12cd149-12cd14f 973->977 978 12cd150-12cd184 GetCurrentThread 973->978 977->978 979 12cd18d-12cd1c1 GetCurrentProcess 978->979 980 12cd186-12cd18c 978->980 982 12cd1ca-12cd1e2 979->982 983 12cd1c3-12cd1c9 979->983 980->979 994 12cd1e5 call 12cd289 982->994 995 12cd1e5 call 12cd299 982->995 983->982 986 12cd1eb-12cd21a GetCurrentThreadId 987 12cd21c-12cd222 986->987 988 12cd223-12cd285 986->988 987->988 994->986 995->986
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 012CD136
                              • GetCurrentThread.KERNEL32 ref: 012CD173
                              • GetCurrentProcess.KERNEL32 ref: 012CD1B0
                              • GetCurrentThreadId.KERNEL32 ref: 012CD209
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 54b9809614acd25bed67a01ada73157066c1a93ed096828bdeb82e82438532fc
                              • Instruction ID: 6e10eca3f41f7c5fc54920f708cb13b25ab0a81efb537876226f34f911ce495e
                              • Opcode Fuzzy Hash: 54b9809614acd25bed67a01ada73157066c1a93ed096828bdeb82e82438532fc
                              • Instruction Fuzzy Hash: 045156B091020A8FDB14CFAAD948B9EBFF5EF88310F24846DE219A7360D7745984CF65
                              Function 012C4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 012C59F1
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 9ad8787291def81365b49bcf490e46378a0684feed4bd81b7a13b2e333b48d7a
                              • Instruction ID: ec3951ac2c9f29bcf88af16b2cbe430efa43d6130304cd5b7f2d17f39d9eb283
                              • Opcode Fuzzy Hash: 9ad8787291def81365b49bcf490e46378a0684feed4bd81b7a13b2e333b48d7a
                              • Instruction Fuzzy Hash: AF41EFB0D10719CADB24CFAAC884BCEBBF5FF49704F20815AD508AB251DB756945CF90
                              Function 012C593D Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 012C59F1
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: ad31e7db594e855c918ca93cdf9a50b74e338929fc5e74c9051ccd97e175602b
                              • Instruction ID: b626d3bd2871d0997eb41becc73a572bc99dd8d6d465cec8beb2c448a5d7e80d
                              • Opcode Fuzzy Hash: ad31e7db594e855c918ca93cdf9a50b74e338929fc5e74c9051ccd97e175602b
                              • Instruction Fuzzy Hash: DB41DDB0D10719CADB24CFAAC884BCEBBB5FF48304F20815AD508BB251DB756949CF90
                              Function 012CD2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD387
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: e3d01bdb11f370e162d848ca73359e6a2e906abb0390b1a91a8a51733e063364
                              • Instruction ID: e618443254c36a47b6343d528a4a0a5f22cab160d7305b0adf2fd3b9a5212455
                              • Opcode Fuzzy Hash: e3d01bdb11f370e162d848ca73359e6a2e906abb0390b1a91a8a51733e063364
                              • Instruction Fuzzy Hash: D021E6B5D002499FDB10CF9AD984ADEBFF5EB48310F14841AE914A7310D374A940CFA5
                              Function 012CD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD387
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 7ef85ed80e18d0d325bc2efc242bff74f788cab7b2dbce11931320f38be16ed5
                              • Instruction ID: 0f3d173d20d8f8a2dd8adc8a1821a39bebd9f00a78bfbc192c008295506508c0
                              • Opcode Fuzzy Hash: 7ef85ed80e18d0d325bc2efc242bff74f788cab7b2dbce11931320f38be16ed5
                              • Instruction Fuzzy Hash: E821C4B59102499FDB10CF9AD984ADEBFF8EB48320F14841AE918A3350D374A954DFA5
                              Function 012CA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012CB101,00000800,00000000,00000000), ref: 012CB312
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 9624444e48ff5b74bc33a478f0686b072a68f315f16b1a294039b4c671466dd1
                              • Instruction ID: 37aa7098fed45b7fcb43ed4337d7b2b4ab798ea371d20a9eb4e8cafa3cbae967
                              • Opcode Fuzzy Hash: 9624444e48ff5b74bc33a478f0686b072a68f315f16b1a294039b4c671466dd1
                              • Instruction Fuzzy Hash: 591114B6D103498FDB10CF9AC845ADEFBF9EB48710F10852EDA19A7200C375A545CFA5
                              Function 071B4D80 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,071B525E), ref: 071B5366
                              Memory Dump Source
                              • Source File: 00000002.00000002.2265091163.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_71b0000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 443d26c10fe772c8000beedfd59230a4f21eeb0b49c147347e8c05083abc1140
                              • Instruction ID: 538246918c19910f6692e44f0d980455bde9394c6708961bc5271e65a6916193
                              • Opcode Fuzzy Hash: 443d26c10fe772c8000beedfd59230a4f21eeb0b49c147347e8c05083abc1140
                              • Instruction Fuzzy Hash: AA1123B6D003098BCB20CF9AC944ADEFBF5EB88320F14841AD819B7350C3B5A545CFA0
                              Function 071B52FE Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,071B525E), ref: 071B5366
                              Memory Dump Source
                              • Source File: 00000002.00000002.2265091163.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_71b0000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 04825e96c5dfb89b4391b92baed8993c432d7a5bc2979747532c24aaf7995dd7
                              • Instruction ID: 4bb08c664437ed414b3e7b42cb173679dde266cbe822aa092394ef5b4f0d8950
                              • Opcode Fuzzy Hash: 04825e96c5dfb89b4391b92baed8993c432d7a5bc2979747532c24aaf7995dd7
                              • Instruction Fuzzy Hash: 8511E2B6D002498BCB20CFAAC444ADEFBF5EF88320F14841AD419A7250D375A545CFA1
                              Function 05B47066 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardLayout.USER32(00000000), ref: 05B470CE
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID: KeyboardLayout
                              • String ID:
                              • API String ID: 194098044-0
                              • Opcode ID: 2f9b0da408d809485aa067d912f1b01f021df4e233b041c4cea2e6d436a0d0ff
                              • Instruction ID: cf88a1343ff4a164acf91c1c9b42e760c5a9c96f041fd4fe91b29c8017e7b000
                              • Opcode Fuzzy Hash: 2f9b0da408d809485aa067d912f1b01f021df4e233b041c4cea2e6d436a0d0ff
                              • Instruction Fuzzy Hash: 711113759003099FCB20EFAAD549AEEFFF4EB49320F208459D519A7340C7356544CFA1
                              Function 012CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB086
                              Memory Dump Source
                              • Source File: 00000002.00000002.2252462753.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_12c0000_MSBuild.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 2890284bcc0341e4fa49cc3ead2509c4a2f63d23694f06f047c0efdc494ee204
                              • Instruction ID: 3dfbc437b9d2a1e916fea9246be1a6c02c49b366e5f19ed3d8f90499f810084e
                              • Opcode Fuzzy Hash: 2890284bcc0341e4fa49cc3ead2509c4a2f63d23694f06f047c0efdc494ee204
                              • Instruction Fuzzy Hash: 0611D2B6C003498FDB20CF9AD444A9EFBF4EB88720F14851ED529A7210C375A545CFA1
                              Function 05B466C0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                              Download Yara Rule
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 05B471BD
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: fca48287786f2ca9f670024cca32c27b82f0717817b1deaaecd3d503bdd8eda9
                              • Instruction ID: 394350217b5e5ca68eca2e665c531a123c174733fac48685b0a3471cba77ddb0
                              • Opcode Fuzzy Hash: fca48287786f2ca9f670024cca32c27b82f0717817b1deaaecd3d503bdd8eda9
                              • Instruction Fuzzy Hash: BB1103B59043489FCB20DF9AD449B9EBBF8EB48320F208459D519A7300C778A944CFA5
                              Function 05B47068 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardLayout.USER32(00000000), ref: 05B470CE
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID: KeyboardLayout
                              • String ID:
                              • API String ID: 194098044-0
                              • Opcode ID: 530397367e3b28a419d4f008d87cdc375bbeb316cfde558e7464ec8daf751f14
                              • Instruction ID: b1b7c4bdab59b6ab1cf330d18979ec5297ec0b9f88d83e67723116ece29a2e06
                              • Opcode Fuzzy Hash: 530397367e3b28a419d4f008d87cdc375bbeb316cfde558e7464ec8daf751f14
                              • Instruction Fuzzy Hash: 9211E0B59003498FCB20EFAAD549AEEFBF4EB49320F20845AD519A7240C775A944CFA5
                              Function 05B47166 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                              Download Yara Rule
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 05B471BD
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: ab22b2791c3065d2f366430bcd61f07a68cd3b5f5c12ced5f73c0a643cf2d1a8
                              • Instruction ID: def05dd5c9447990fbe108b74c711755d9aea8d699899aa5c472861393b70804
                              • Opcode Fuzzy Hash: ab22b2791c3065d2f366430bcd61f07a68cd3b5f5c12ced5f73c0a643cf2d1a8
                              • Instruction Fuzzy Hash: 7A11E2B59003498FCB20DF9AD945BDEBBF8EB48320F24845AD519A7310C779A944CFA5
                              Function 0121D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2250512161.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_121d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7988b7c84ad47442ad13330a0bd4a3b7cd232e73d8db3cb3ef30e753f5f90e21
                              • Instruction ID: 0637ff6d8b519326470e224ad00fe03d386ab6f0ab423957f5e6581261545014
                              • Opcode Fuzzy Hash: 7988b7c84ad47442ad13330a0bd4a3b7cd232e73d8db3cb3ef30e753f5f90e21
                              • Instruction Fuzzy Hash: C6214871514208EFCB16DF58E9C4B26BFA5FBA8328F20C569D9050B24AC336D406C6A1
                              Function 0122D03C Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2250767354.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_122d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d4ffeaa28fc52cbfd1383599397ed86c345ee78c452bc8e36e155f7c6940dcdc
                              • Instruction ID: 1055bb3b893796e669b726657c8be6f52df28400d41f7c085f68f49cc687df16
                              • Opcode Fuzzy Hash: d4ffeaa28fc52cbfd1383599397ed86c345ee78c452bc8e36e155f7c6940dcdc
                              • Instruction Fuzzy Hash: 76112FB5614304EFCB16CF64D880B2ABB61FB84314F24CAADE9490B266C33AD506CA60
                              Function 0121D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2250512161.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_121d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                              • Instruction ID: 2a485fa86fcd0669aa1a5b7af3877a44de3886b9b2018f57749b11054334f2f8
                              • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                              • Instruction Fuzzy Hash: 17110376404284DFCB16CF54D5C4B16BFB1FB94324F24C6A9D9090B25BC33AD45ACBA1
                              Function 0122D0BF Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2250767354.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_122d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42333b6bb0cbe45242f9bcaed12ff556a9bd02c4e4ee2f36f4f18f3080df89d
                              • Instruction ID: 0bb705e81855d8bc75ff47cbce3d3896fb31b7f713dcb193d3f7ab60025bbe09
                              • Opcode Fuzzy Hash: a42333b6bb0cbe45242f9bcaed12ff556a9bd02c4e4ee2f36f4f18f3080df89d
                              • Instruction Fuzzy Hash: E3016D79504244DFDB05CF54D588B1ABFA1FB84324F28C6A9D9490F32AD33AD517CBA2

                              Non-executed Functions

                              Function 05B424F0 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: $eq$$eq
                              • API String ID: 0-2246304398
                              • Opcode ID: 0a4da497b857f83b145c28f8afcd36b7f90894142045fb1622a7206644b1bebe
                              • Instruction ID: eaf95074ea070d0388fcc8fa21fe1d72a61b39e3e7b024d9e3931e8323fb6817
                              • Opcode Fuzzy Hash: 0a4da497b857f83b145c28f8afcd36b7f90894142045fb1622a7206644b1bebe
                              • Instruction Fuzzy Hash: 2561BD74E012189FDB14DFA9C884AEDBBF2FF89310F648169E405AB364DB34A946DF50
                              Function 071BFBD8 Relevance: .3, Instructions: 262COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2265091163.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_71b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6fb5079d7103e4a5aa3d82f297a9f4aa17ea713b73983c7fef2d7cebf9c1c9b3
                              • Instruction ID: 49c9da8709e75b5e8c7e405c9adb9554121fd9b5e30c3a0371593d349645f7a9
                              • Opcode Fuzzy Hash: 6fb5079d7103e4a5aa3d82f297a9f4aa17ea713b73983c7fef2d7cebf9c1c9b3
                              • Instruction Fuzzy Hash: E1C1A274E01218CFDB54DFA9D994A9DBBB2FF89300F2085AAD409AB364DB345D86CF40
                              Function 071BFBE8 Relevance: .3, Instructions: 257COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2265091163.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_71b0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0794f442be7726626a0eb36b9925d0dc788c59e1485199d98df2aa5b5e707de7
                              • Instruction ID: 36bff7a1c5060c4b743def8d83c9c81788425e1f4adcbe88aeca9724fbba0be7
                              • Opcode Fuzzy Hash: 0794f442be7726626a0eb36b9925d0dc788c59e1485199d98df2aa5b5e707de7
                              • Instruction Fuzzy Hash: 7AC18274E01218CFDB54DFA9D994A9DBBB2FF89300F1085A9D409AB364DB346D86CF50
                              Function 05B4AB2B Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2263262080.0000000005B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5b40000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3143fd281d392854d8c62d4730a12d1a76b90228dc16e2bdba5b77a1b2fda7eb
                              • Instruction ID: d8d8a2fbf23daca7912570987b9a7bb560e7a850a4ede1db1eb34db713dc9996
                              • Opcode Fuzzy Hash: 3143fd281d392854d8c62d4730a12d1a76b90228dc16e2bdba5b77a1b2fda7eb
                              • Instruction Fuzzy Hash: D7E09A30CCA10ECAEB20CFA1C254BFFF637AB05200F2064C9C80573294DBB46644AEA9