Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fOsCO13KRs.exe

Overview

General Information

Sample name:fOsCO13KRs.exe
renamed because original name is a hash value
Original sample name:533e2a477734c51c894f95335b5af00ddbc32af0b15d5173cb49f52df01a9f88.exe
Analysis ID:1465370
MD5:cb98320171d36e2b913c56a4cddfad44
SHA1:d9d8c535906d83f2de73759af8739d2985fdf7dd
SHA256:533e2a477734c51c894f95335b5af00ddbc32af0b15d5173cb49f52df01a9f88
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • fOsCO13KRs.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\fOsCO13KRs.exe" MD5: CB98320171D36E2B913C56A4CDDFAD44)
    • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 4052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "94.228.166.68:80", "Bot Id": "@skayoker38", "Message": "Click Close to exit the program. Error code: 1142", "Authorization Header": "b8851f20ca79c66b401f2e171c930f0d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2329860401.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: fOsCO13KRs.exe PID: 6332JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.MSBuild.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.fOsCO13KRs.exe.6d17e000.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.fOsCO13KRs.exe.6d17e000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.fOsCO13KRs.exe.6d160000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Silenttrinity Stager Msbuild Activity
                      Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 94.228.166.68, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4052, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49718

                      Snort Signatures

                      Timestamp:07/01/24-15:44:00.166826
                      SID:2046045
                      Source Port:49718
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/01/24-15:44:00.376088
                      SID:2043234
                      Source Port:80
                      Destination Port:49718
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/01/24-15:44:08.664219
                      SID:2043231
                      Source Port:49718
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "94.228.166.68:80", "Bot Id": "@skayoker38", "Message": "Click Close to exit the program. Error code: 1142", "Authorization Header": "b8851f20ca79c66b401f2e171c930f0d"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\d3d9.dllReversingLabs: Detection: 57%
                      Multi AV Scanner detection for submitted file
                      Source: fOsCO13KRs.exeReversingLabs: Detection: 71%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\d3d9.dllJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: fOsCO13KRs.exeJoe Sandbox ML: detected
                      Source: fOsCO13KRs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49724 version: TLS 1.0
                      Source: fOsCO13KRs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16F968 FindFirstFileExW,0_2_6D16F968
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then inc dword ptr [ebp-20h]3_2_067139C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0671A7EDh3_2_0671A7CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then inc dword ptr [ebp-20h]3_2_06713C93
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06718C4Fh3_2_06718872
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06718C4Fh3_2_06718880

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49718 -> 94.228.166.68:80
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49718 -> 94.228.166.68:80
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 94.228.166.68:80 -> 192.168.2.6:49718
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 94.228.166.68:80
                      Source: global trafficTCP traffic: 192.168.2.6:51381 -> 1.1.1.1:53
                      Source: Joe Sandbox ViewASN Name: PRANET-ASRU PRANET-ASRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                      Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49724 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.228.166.68
                      Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000033FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000033FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                      Source: fOsCO13KRs.exe, fOsCO13KRs.exe, 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmp, MSBuild.exe, 00000003.00000002.2329860401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D162970 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_6D162970
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D162D800_2_6D162D80
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D1612E00_2_6D1612E0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D1610100_2_6D161010
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16A4E00_2_6D16A4E0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D175F050_2_6D175F05
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D162B800_2_6D162B80
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D183B170_2_6D183B17
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307B1000_2_0307B100
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307107F0_2_0307107F
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_030790800_2_03079080
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_03078E400_2_03078E40
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307E6F00_2_0307E6F0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307B5000_2_0307B500
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307C5600_2_0307C560
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307B3580_2_0307B358
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307B3680_2_0307B368
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_030790700_2_03079070
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_030710B00_2_030710B0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307B0F00_2_0307B0F0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307F7A30_2_0307F7A3
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_030797A80_2_030797A8
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_03078E100_2_03078E10
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307A6900_2_0307A690
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307E6DF0_2_0307E6DF
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307AD590_2_0307AD59
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_03070D890_2_03070D89
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_03078DA00_2_03078DA0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_03078DC00_2_03078DC0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_03078DD80_2_03078DD8
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_0307FC220_2_0307FC22
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_030794D80_2_030794D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0302DC743_2_0302DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067193203_2_06719320
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06710F283_2_06710F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06716FA83_2_06716FA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06718DC03_2_06718DC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06719B203_2_06719B20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067178783_2_06717878
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0671A8803_2_0671A880
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067193113_2_06719311
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06710F183_2_06710F18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06716C603_2_06716C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06718DB13_2_06718DB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06719B103_2_06719B10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067188723_2_06718872
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0671A87A3_2_0671A87A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067188803_2_06718880
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0672EA183_2_0672EA18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067218403_2_06721840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067218313_2_06721831
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: String function: 6D16B490 appears 33 times
                      Source: fOsCO13KRs.exeBinary or memory string: OriginalFilename vs fOsCO13KRs.exe
                      Source: fOsCO13KRs.exe, 00000000.00000000.2207861031.0000000000EFC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNovaEdge22862667670.exeT vs fOsCO13KRs.exe
                      Source: fOsCO13KRs.exe, 00000000.00000002.2214343629.000000000141E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fOsCO13KRs.exe
                      Source: fOsCO13KRs.exe, 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameDeclinate.exe8 vs fOsCO13KRs.exe
                      Source: fOsCO13KRs.exeBinary or memory string: OriginalFilenameNovaEdge22862667670.exeT vs fOsCO13KRs.exe
                      Source: fOsCO13KRs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: fOsCO13KRs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@1/1
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
                      Source: fOsCO13KRs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: fOsCO13KRs.exeReversingLabs: Detection: 71%
                      Source: unknownProcess created: C:\Users\user\Desktop\fOsCO13KRs.exe "C:\Users\user\Desktop\fOsCO13KRs.exe"
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: fOsCO13KRs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: fOsCO13KRs.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: fOsCO13KRs.exeStatic file information: File size 1609728 > 1048576
                      Source: fOsCO13KRs.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14b200
                      Source: fOsCO13KRs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: fOsCO13KRs.exeStatic PE information: section name: .dDg
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D176634 push ecx; ret 0_2_6D176647
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D183B17 push es; retf 0_2_6D183B12
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06721661 push es; ret 3_2_06721670
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0672562F push eax; ret 3_2_06725643
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0672DEB0 push es; ret 3_2_0672DEC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06729F0B push es; iretd 3_2_06729F0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06722293 push es; ret 3_2_067222A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06724363 push es; ret 3_2_06724370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06724321 push es; ret 3_2_06724330
                      Source: fOsCO13KRs.exeStatic PE information: section name: .text entropy: 7.88564149410164
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory allocated: 3030000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 50B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3485Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exe TID: 4072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2052Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6792Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16F968 FindFirstFileExW,0_2_6D16F968
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: MSBuild.exe, 00000003.00000002.2338296880.0000000005BDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
                      Source: MSBuild.exe, 00000003.00000002.2331217268.00000000036ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552LR
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.000000000364E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003581000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.00000000034A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: MSBuild.exe, 00000003.00000002.2333978285.000000000428F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003547000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067185B0 LdrInitializeThunk,3_2_067185B0
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16B31A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D16B31A
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D17108B GetProcessHeap,0_2_6D17108B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16B31A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D16B31A
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16AE41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D16AE41
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16F2B7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D16F2B7
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D162D80 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,WriteProcessMemory,0_2_6D162D80
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E35008Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16B4D8 cpuid 0_2_6D16B4D8
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeQueries volume information: C:\Users\user\Desktop\fOsCO13KRs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\fOsCO13KRs.exeCode function: 0_2_6D16AF63 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6D16AF63
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: MSBuild.exe, 00000003.00000002.2342744116.000000000A6C4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2342625680.000000000A6AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fOsCO13KRs.exe.6d17e000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fOsCO13KRs.exe.6d17e000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fOsCO13KRs.exe.6d160000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2329860401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fOsCO13KRs.exe PID: 6332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4052, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                      Source: MSBuild.exe, 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Ledger Live
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                      Source: Yara matchFile source: 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4052, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fOsCO13KRs.exe.6d17e000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fOsCO13KRs.exe.6d17e000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.fOsCO13KRs.exe.6d160000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2329860401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: fOsCO13KRs.exe PID: 6332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4052, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		12
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory351
                      Security Software Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		1
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive12
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS241
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync124
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      fOsCO13KRs.exe71%ReversingLabsByteCode-MSIL.Trojan.RedLine
                      fOsCO13KRs.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\d3d9.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\d3d9.dll58%ReversingLabsWin32.Trojan.LummaStealer

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                      https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                      94.228.166.68:800%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                      https://duckduckgo.com/chrome_newtabS0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                      http://tempuri.org/D0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalse
                        		unknown
                        api.ip.sb
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          94.228.166.68:80true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDMSBuild.exe, 00000003.00000002.2331217268.00000000033FC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id2ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id4MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ip.sb/ipfOsCO13KRs.exe, fOsCO13KRs.exe, 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmp, MSBuild.exe, 00000003.00000002.2329860401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id20MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.ecosia.org/newtab/MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id11MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id13MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id14MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id17MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id18MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trustMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://duckduckgo.com/chrome_newtabSMSBuild.exe, 00000003.00000002.2333978285.00000000042AB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id3ResponseDMSBuild.exe, 00000003.00000002.2331217268.00000000033FC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id23ResponseMSBuild.exe, 00000003.00000002.2331217268.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/DMSBuild.exe, 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            94.228.166.68
                            		unknownRussian Federation
                            		48467PRANET-ASRUtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1465370
                            Start date and time:2024-07-01 15:42:55 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 40s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:fOsCO13KRs.exe
                            renamed because original name is a hash value
                            Original Sample Name:533e2a477734c51c894f95335b5af00ddbc32af0b15d5173cb49f52df01a9f88.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@4/3@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 149
                            • Number of non-executed functions: 37
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 40.113.110.67, 172.67.75.172, 104.26.12.31, 104.26.13.31, 40.127.169.103, 13.95.31.18, 13.85.23.206, 20.166.126.56, 199.232.214.172, 40.113.103.199
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, wns.notify.trafficmanager.net, api.ip.sb.cdn.cloudflare.net, fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: fOsCO13KRs.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:44:05API Interceptor19x Sleep call for process: MSBuild.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            94.228.166.68xFk6x2mrd7.exeGet hashmaliciousRedLineBrowse
                              qHYHgANDmm.exeGet hashmaliciousRedLine, XmrigBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                bg.microsoft.map.fastly.nethttps://cts.vresp.com/c/?WaveCompliance/d919e57ba7/b5e5b2a536/185933d903/utm_source=abhi&utm_medium=hr&utm_campaign=emailGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                Remittance advice.exeGet hashmaliciousAgentTeslaBrowse
                                • 199.232.210.172
                                https://na4.docusign.net/Signing/EmailStart.aspx?a=95fa3666-e4d2-4181-926f-7d752b5d1bb7&acct=4b225f64-a250-4de3-9bb5-6320c76f2c33&er=388f7591-fe27-446f-8df0-11aebdd778b2Get hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                mUNguTZLws.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 199.232.210.172
                                Agreement for Bmangan 5753.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 199.232.210.172
                                http://62.133.61.26/Downloads/MOD_200.pdf.lnkGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                http://bestresulttostart.comGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                MacroGamer.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                • 199.232.210.172
                                https://oceanofgames.com/Get hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                Renameme@1.xlsGet hashmaliciousUnknownBrowse
                                • 199.232.214.172

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                PRANET-ASRUxFk6x2mrd7.exeGet hashmaliciousRedLineBrowse
                                • 94.228.166.68
                                qHYHgANDmm.exeGet hashmaliciousRedLine, XmrigBrowse
                                • 94.228.166.68
                                1Vkf7silOj.exeGet hashmaliciousLummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                                • 94.228.166.74
                                iYhvVk2ZzV.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 94.228.166.75
                                T4LJO0xbse.exeGet hashmaliciousQuasarBrowse
                                • 94.228.166.40
                                K3wj3nqr6c.exeGet hashmaliciousAmadeyBrowse
                                • 94.228.166.74
                                setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                • 94.228.166.74
                                CS32G1VhXR.exeGet hashmaliciousQuasarBrowse
                                • 94.228.166.40
                                ZXZMRvEA9M.elfGet hashmaliciousMiraiBrowse
                                • 185.46.45.224
                                2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse
                                • 94.228.162.82

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                1138de370e523e824bbca92d049a3777https://billetgiraud-my.sharepoint.com/:b:/g/personal/alegendre_billet-giraud_fr/Efx4UYG0L4ZEoNiA48GvwD4BVr0dIupCRWYRpuPqpENDPw?e=4%3abtbFYF&at=9Get hashmaliciousHTMLPhisherBrowse
                                • 173.222.162.64
                                https://m.exactag.com/ai.aspx?tc=d9288846bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ainjurylawkings.com%2Fwinner%2F13476%2F%2Fc2FuZWV5YS5rYW5nQDJzZmcuY29tGet hashmaliciousHTMLPhisherBrowse
                                • 173.222.162.64
                                Payment_AdviceHyperoptic.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 173.222.162.64
                                https://na4.docusign.net/Signing/EmailStart.aspx?a=95fa3666-e4d2-4181-926f-7d752b5d1bb7&acct=4b225f64-a250-4de3-9bb5-6320c76f2c33&er=388f7591-fe27-446f-8df0-11aebdd778b2Get hashmaliciousUnknownBrowse
                                • 173.222.162.64
                                http://62.133.61.56/Downloads/Full%20Video%20HD%20(1080p).lnkGet hashmaliciousUnknownBrowse
                                • 173.222.162.64
                                https://m.exactag.com/ai.aspx?tc=d9476116bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ajeffreyhensley.com%2Fwinner%2F54980%2F%2Fa2VlbGV5LmhvbGdhdGVAMnNmZy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                • 173.222.162.64
                                http://polyfill.ioGet hashmaliciousUnknownBrowse
                                • 173.222.162.64
                                https://bpecuniaimmobili.com/J0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MzY/Get hashmaliciousUnknownBrowse
                                • 173.222.162.64
                                https://onedrive.live.com/?authkey=%21AHR54w1YCfZUYeQ&id=ADC20E71480447CD%21127&cid=ADC20E71480447CD&parId=root&parQt=sharedby&o=OneUpGet hashmaliciousUnknownBrowse
                                • 173.222.162.64
                                https://www.salestrackingportals.com/Get hashmaliciousUnknownBrowse
                                • 173.222.162.64

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3094
                                Entropy (8bit):5.33145931749415
                                Encrypted:false
                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                MD5:3FD5C0634443FB2EF2796B9636159CB6
                                SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fOsCO13KRs.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\fOsCO13KRs.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):226
                                Entropy (8bit):5.360398796477698
                                Encrypted:false
                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                MD5:3A8957C6382192B71471BD14359D0B12
                                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                C:\Users\user\AppData\Roaming\d3d9.dll

                                Download File
                                Process:C:\Users\user\Desktop\fOsCO13KRs.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):428544
                                Entropy (8bit):5.871773702966774
                                Encrypted:false
                                SSDEEP:6144:BXwH9u+ucghyu8uO1pNOUSINyxQk3Lg4EdRNiE3bTMNfBNKv+rDo:BbcgFO8NEdRNiE3bL
                                MD5:D13D730E0A45088C4356DFBC65FF818F
                                SHA1:056FCCF8C532F18141E0056C189F3F8C4A63A31C
                                SHA-256:981F4C2C88B060C734BEB40B2C4C7E3D3E14C8D1221A4476AB7A912866772C55
                                SHA-512:98FDAEC0CD3F9979F145B4688E025CDCBB3825D6E16894025D19A509543901AC0E0E0DC058A6DF7E2F1FE450913FFE763E71DBD363525AAA349227E0A797A8BD
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 58%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L.....xf...........!...&.Z...6...............p............................................@.............................x...x...<................................... ...............................`...@............p..P............................text....X.......Z.................. ..`.rdata...d...p...f...^..............@..@.data...T...........................@....reloc...............v..............@..B................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.794725701315532
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                • Win32 Executable (generic) a (10002005/4) 49.96%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:fOsCO13KRs.exe
                                File size:1'609'728 bytes
                                MD5:cb98320171d36e2b913c56a4cddfad44
                                SHA1:d9d8c535906d83f2de73759af8739d2985fdf7dd
                                SHA256:533e2a477734c51c894f95335b5af00ddbc32af0b15d5173cb49f52df01a9f88
                                SHA512:ef1508144094073ce3a6ce18caabcbb5d9405b9a594439672411974e090c4f4be4bdb9c6cf7a99ecbb802dc284fb40dcea20e197593b9bc2d1bd0de3e7e7b429
                                SSDEEP:49152:6y55n15t6mWD/+oI9Z9rqyI44HppuzGxHH8Boz:F5DjoqZ92yVG/uzGNc
                                TLSH:6B75B0F017504750D528763311BC7868A6D6F77E162A377ABF2ACE62F2D31E8D40E1A2
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xf................................. ........@.. ....................................@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x54d0be
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows cui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x667817A0 [Sun Jun 23 12:40:00 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x14d0680x53.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x18c0000x6e0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x18e0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x164e000x48.dDg
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x14b0c40x14b200e2ce8c3e97eea4e1f2b8f2c2fb5df587False0.7870916796432617data7.88564149410164IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .dDg0x14e0000x3c4040x3c6003fb812bcccc8f4b608d294373e7cc52dFalse0.5782827057453416data6.388795580872965IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x18c0000x6e00x800e915dbc32658fce1c640f9fdab9a2e38False0.3642578125data3.7613295511651486IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x18e0000xc0x20050d3c35f580058964369e5f57c3783a4False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x18c0a00x450data0.39855072463768115
                                RT_MANIFEST0x18c4f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                07/01/24-15:44:00.166826TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4971880192.168.2.694.228.166.68
                                07/01/24-15:44:00.376088TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response804971894.228.166.68192.168.2.6
                                07/01/24-15:44:08.664219TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4971880192.168.2.694.228.166.68

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 1, 2024 15:43:51.789887905 CEST49674443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:43:51.789887905 CEST49673443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:43:52.086785078 CEST49672443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:43:59.291065931 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:43:59.297967911 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:43:59.298053026 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:43:59.307431936 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:43:59.312982082 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:00.131184101 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:00.166826010 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:00.174155951 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:00.376087904 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:00.430465937 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:01.399210930 CEST49673443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:01.399250031 CEST49674443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:01.696273088 CEST49672443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:03.424560070 CEST44349703173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:03.424669027 CEST49703443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:05.446974993 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:05.451776981 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.653198957 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.653543949 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.653678894 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:05.654328108 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.654340982 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.654400110 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:05.655689955 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.655704021 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:05.655791998 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.820729017 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.825699091 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825712919 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825726032 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825737000 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825763941 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.825773001 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825824022 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.825836897 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825850964 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825860977 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825892925 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.825901985 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825911045 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.825928926 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.825948000 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.825973034 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.830584049 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830610991 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830746889 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830754042 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.830758095 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830775023 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830789089 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830809116 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.830842972 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.830847979 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830905914 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.830974102 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.830997944 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.831069946 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.831094980 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.831196070 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835565090 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835619926 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835632086 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835629940 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835700989 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835704088 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835711956 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835747004 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835763931 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835788965 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835814953 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835825920 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835861921 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835875034 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835906029 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835956097 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835973978 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.835988045 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.835999966 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836015940 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.836041927 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.836066961 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836077929 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836090088 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836102962 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836113930 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836126089 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836201906 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836211920 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836224079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836235046 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836245060 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836303949 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836316109 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.836442947 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840465069 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840503931 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840514898 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840533018 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840542078 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840575933 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840578079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840593100 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840632915 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840636015 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840645075 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840656042 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840687037 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840693951 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840712070 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840735912 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840781927 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840792894 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840806961 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840817928 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840826988 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840837002 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840842962 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840867996 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.840873003 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840884924 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840894938 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840904951 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840949059 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840959072 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840970039 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840980053 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.840989113 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841073036 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841084003 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841094017 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841104031 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841114044 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841124058 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841135025 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841243029 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841253996 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841264009 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841274977 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841284990 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841295004 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841305017 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841314077 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841336966 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841346025 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841356039 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841367006 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841388941 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841398954 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841418982 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841428995 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841442108 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841486931 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841497898 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841506958 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841511011 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841521025 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841531038 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841545105 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841553926 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841559887 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.841563940 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841579914 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841609001 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841619015 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841629028 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841638088 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841649055 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.841680050 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841691017 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841701984 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841711044 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841721058 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.841732025 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845376015 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845390081 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845470905 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845508099 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845519066 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845527887 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845561028 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845570087 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845580101 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845657110 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845665932 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845675945 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845705032 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845714092 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845724106 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845741987 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845752954 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845796108 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845804930 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845824003 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845834017 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845843077 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845855951 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845906019 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.845915079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846420050 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846569061 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846580029 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846663952 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846674919 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846693993 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846704006 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846805096 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846815109 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846826077 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846837997 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846857071 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846865892 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846873999 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846884012 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846904993 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846915007 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846925974 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846935987 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846944094 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846965075 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846975088 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.846985102 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847002983 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847012997 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847022057 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847031116 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847048998 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847058058 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847067118 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847084999 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847095013 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847217083 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847304106 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847316027 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847326994 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847336054 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847345114 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847354889 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847363949 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847373962 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847383022 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847390890 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847402096 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847443104 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847460985 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847471952 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847482920 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847491980 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847539902 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847549915 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847560883 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.847569942 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.851064920 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.851159096 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.855937004 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.855962038 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.855973005 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.855987072 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.855997086 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856005907 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856024981 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856036901 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856065035 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856075048 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856097937 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856107950 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856118917 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856131077 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856148958 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856158972 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856162071 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.856168032 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856189966 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856200933 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856210947 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856221914 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856231928 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.856232882 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856251001 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856264114 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856297016 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856307030 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856316090 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856326103 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856336117 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856345892 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856357098 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856367111 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856385946 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856395006 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856405020 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856415033 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856424093 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856434107 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856443882 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856453896 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856476068 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856496096 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856515884 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856524944 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856534004 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.856544018 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857300043 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857311010 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857338905 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857348919 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857361078 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857372046 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.857384920 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861368895 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861382961 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861393929 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861418009 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861428022 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861438036 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861459017 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861468077 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861478090 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861488104 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861509085 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861517906 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861530066 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861541033 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861572027 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861577988 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.861583948 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861644983 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861659050 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861660957 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.861670971 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861691952 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861701012 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861711025 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861731052 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861741066 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861749887 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861759901 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861778975 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861788988 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861799955 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861835003 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861845016 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861854076 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861864090 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861876011 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861897945 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.861907005 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862035990 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862046957 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862056971 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862066984 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862076998 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862088919 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862098932 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862108946 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862128019 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862138033 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862148046 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862157106 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862176895 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862186909 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862196922 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862206936 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.862215996 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866549015 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866621971 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866682053 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866686106 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866727114 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866731882 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866740942 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866744995 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866807938 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.866830111 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866833925 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866844893 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866849899 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866868973 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866877079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866877079 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.866882086 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866887093 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866890907 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866894960 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866900921 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.866909981 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867012024 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867017031 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867043018 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867065907 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867069960 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867079973 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867115974 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867120028 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867166042 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867171049 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867180109 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867183924 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867202997 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867208004 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867213011 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867252111 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867261887 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867265940 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867331982 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.867383957 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.911300898 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.911549091 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.911633015 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.911633015 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.911684990 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.916402102 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916424036 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916429043 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916471958 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916476011 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916496038 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916500092 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916505098 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916512966 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916522026 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916526079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916546106 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916549921 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916600943 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916604996 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916614056 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916626930 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916630983 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916654110 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916657925 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916667938 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916681051 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916685104 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916692972 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916734934 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916743994 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.916752100 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.944905043 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.945177078 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:07.950208902 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950218916 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950229883 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950233936 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950237989 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950249910 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950268030 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950280905 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950284958 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950294971 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950299025 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950308084 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950311899 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950359106 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950364113 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950375080 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950378895 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950381994 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950412035 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950416088 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950550079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950553894 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950562954 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950567007 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950570107 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950582981 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950598001 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950607061 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950611115 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950654030 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950658083 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950661898 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950717926 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950721979 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.950731993 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:07.991478920 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:08.663485050 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:08.664218903 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:08.669089079 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:09.139653921 CEST804971894.228.166.68192.168.2.6
                                Jul 1, 2024 15:44:09.160691977 CEST4971880192.168.2.694.228.166.68
                                Jul 1, 2024 15:44:13.127010107 CEST49703443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:13.127432108 CEST49703443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:13.128117085 CEST49724443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:13.128160954 CEST44349724173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:13.128253937 CEST49724443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:13.133960962 CEST44349703173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:13.133989096 CEST44349703173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:13.134803057 CEST49724443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:13.134831905 CEST44349724173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:13.760607004 CEST44349724173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:13.760819912 CEST49724443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:14.625540972 CEST5138153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:14.630661964 CEST53513811.1.1.1192.168.2.6
                                Jul 1, 2024 15:44:14.630732059 CEST5138153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:14.630781889 CEST5138153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:14.635514975 CEST53513811.1.1.1192.168.2.6
                                Jul 1, 2024 15:44:15.323240995 CEST53513811.1.1.1192.168.2.6
                                Jul 1, 2024 15:44:15.324027061 CEST5138153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:15.324716091 CEST53513811.1.1.1192.168.2.6
                                Jul 1, 2024 15:44:15.324805021 CEST5138153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:15.331180096 CEST53513811.1.1.1192.168.2.6
                                Jul 1, 2024 15:44:15.331243992 CEST5138153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:32.932106018 CEST44349724173.222.162.64192.168.2.6
                                Jul 1, 2024 15:44:32.932254076 CEST49724443192.168.2.6173.222.162.64
                                Jul 1, 2024 15:44:44.851388931 CEST8049705178.79.238.128192.168.2.6
                                Jul 1, 2024 15:44:44.851576090 CEST4970580192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:44.851735115 CEST8049706178.79.238.128192.168.2.6
                                Jul 1, 2024 15:44:44.851854086 CEST4970680192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:44.851911068 CEST4970680192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:44.853141069 CEST8049705178.79.238.128192.168.2.6
                                Jul 1, 2024 15:44:44.853185892 CEST4970580192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:44.857686996 CEST8049706178.79.238.128192.168.2.6
                                Jul 1, 2024 15:44:47.861537933 CEST8049710178.79.238.128192.168.2.6
                                Jul 1, 2024 15:44:47.861733913 CEST4971080192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:47.861780882 CEST4971080192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:47.863190889 CEST8049710178.79.238.128192.168.2.6
                                Jul 1, 2024 15:44:47.863245010 CEST4971080192.168.2.6178.79.238.128
                                Jul 1, 2024 15:44:47.866631031 CEST8049710178.79.238.128192.168.2.6
                                Jul 1, 2024 15:45:33.259188890 CEST4970880192.168.2.6192.229.221.95
                                Jul 1, 2024 15:45:33.278865099 CEST8049708192.229.221.95192.168.2.6
                                Jul 1, 2024 15:45:33.278959990 CEST4970880192.168.2.6192.229.221.95
                                Jul 1, 2024 15:45:35.493398905 CEST4970980192.168.2.6192.229.221.95
                                Jul 1, 2024 15:45:35.498904943 CEST8049709192.229.221.95192.168.2.6
                                Jul 1, 2024 15:45:35.499085903 CEST4970980192.168.2.6192.229.221.95

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 1, 2024 15:44:05.756098986 CEST6144153192.168.2.61.1.1.1
                                Jul 1, 2024 15:44:14.625142097 CEST53617061.1.1.1192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jul 1, 2024 15:44:05.756098986 CEST192.168.2.61.1.1.10x8500Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jul 1, 2024 15:44:05.765065908 CEST1.1.1.1192.168.2.60x8500No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                Jul 1, 2024 15:44:46.386404037 CEST1.1.1.1192.168.2.60xd8c1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Jul 1, 2024 15:44:46.386404037 CEST1.1.1.1192.168.2.60xd8c1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.64971894.228.166.68804052C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                TimestampBytes transferredDirectionData
                                Jul 1, 2024 15:43:59.307431936 CEST37OUTData Raw: 00 01 00 01 02 02 1b 6e 65 74 2e 74 63 70 3a 2f 2f 39 34 2e 32 32 38 2e 31 36 36 2e 36 38 3a 38 30 2f 03 08 0c
                                Data Ascii: net.tcp://94.228.166.68:80/
                                Jul 1, 2024 15:44:00.131184101 CEST1INData Raw: 0b
                                Data Ascii:
                                Jul 1, 2024 15:44:00.166826010 CEST202OUTData Raw: 06 c7 01 52 1d 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 31 1b 6e 65 74 2e 74 63 70 3a 2f 2f 39 34 2e 32 32 38 2e 31 36 36 2e 36 38 3a 38 30 2f 03 49 64 31 13 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e
                                Data Ascii: Rhttp://tempuri.org/Entity/Id1net.tcp://94.228.166.68:80/Id1http://tempuri.org/VsaVD@Authorizationns1 b8851f20ca79c66b401f2e171c930f0dDUlRE0mD,D*DVB
                                Jul 1, 2024 15:44:00.376087904 CEST142INData Raw: 06 8b 01 50 25 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 31 52 65 73 70 6f 6e 73 65 0b 49 64 31 52 65 73 70 6f 6e 73 65 13 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 09 49 64 31 52 65 73 75
                                Data Ascii: P%http://tempuri.org/Entity/Id1ResponseId1Responsehttp://tempuri.org/Id1ResultVsaVDDUlRE0mDVBB
                                Jul 1, 2024 15:44:05.446974993 CEST154OUTData Raw: 06 97 01 22 1d 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 32 03 49 64 32 56 02 0b 01 73 04 0b 01 61 06 56 08 44 0a 1e 00 82 ab 09 40 0d 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 08 03 6e 73 31 99 20 62 38 38
                                Data Ascii: "http://tempuri.org/Entity/Id2Id2VsaVD@Authorizationns1 b8851f20ca79c66b401f2e171c930f0dDE\OPKFD,D*DVB
                                Jul 1, 2024 15:44:05.653198957 CEST1236INData Raw: 06 ff 33 f8 01 25 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 45 6e 74 69 74 79 2f 49 64 32 52 65 73 70 6f 6e 73 65 0b 49 64 32 52 65 73 70 6f 6e 73 65 09 49 64 32 52 65 73 75 6c 74 06 45 6e 74 69 74 79 29 68 74 74 70 3a 2f 2f 77 77
                                Data Ascii: 3%http://tempuri.org/Entity/Id2ResponseId2ResponseId2ResultEntity)http://www.w3.org/2001/XMLSchema-instanceId1Id109http://schemas.microsoft.com/2003/10/Serialization/ArraysstringId11Id12Id13Entity17Id2Id3Entity16Id4Id5Id6I
                                Jul 1, 2024 15:44:05.653543949 CEST1236INData Raw: 46 19 99 2d 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 46 19 99 31 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37
                                Data Ascii: F-%USERPROFILE%\AppData\Local\Iridium\User DataF1%USERPROFILE%\AppData\Local\7Star\7Star\User DataF1%USERPROFILE%\AppData\Local\CentBrowser\User DataF,%USERPROFILE%\AppData\Local\Chedot\User DataF-%USERPROFILE%\AppData\Local\Vivaldi\
                                Jul 1, 2024 15:44:05.654328108 CEST1236INData Raw: 5c 55 73 65 72 20 44 61 74 61 46 19 99 35 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 53 70 75 74 6e 69 6b 5c 53 70 75 74 6e 69 6b 5c 55 73 65 72 20 44 61 74 61 46 19 99 2e 25 55 53 45 52 50 52 4f 46 49 4c
                                Data Ascii: \User DataF5%USERPROFILE%\AppData\Local\Sputnik\Sputnik\User DataF.%USERPROFILE%\AppData\Local\Nichrome\User DataF4%USERPROFILE%\AppData\Local\CocCoc\Browser\User DataF*%USERPROFILE%\AppData\Local\Uran\User DataF.%USERPROFILE%\AppDat
                                Jul 1, 2024 15:44:05.654340982 CEST1236INData Raw: 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 55 43 42 72 6f 77 73 65 72 5c 55 73 65 72 20 44 61 74 61 5f 69 31 38 6e 46 19 99 2d 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 78 74 68 6f
                                Data Ascii: FILE%\AppData\Local\UCBrowser\User Data_i18nF-%USERPROFILE%\AppData\Local\Maxthon\User DataF+%USERPROFILE%\AppData\Local\Blisk\User DataF4%USERPROFILE%\AppData\Local\AOL\AOL Shield\User DataF8%USERPROFILE%\AppData\Local\Baidu\BaiduBrow
                                Jul 1, 2024 15:44:05.655689955 CEST1236INData Raw: 65 73 46 19 99 2c 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 53 69 65 6c 6f 5c 70 72 6f 66 69 6c 65 73 46 19 99 2f 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e
                                Data Ascii: esF,%USERPROFILE%\AppData\Roaming\Sielo\profilesF/%USERPROFILE%\AppData\Roaming\Waterfox\ProfilesF:%USERPROFILE%\AppData\Roaming\conkeror.mozdev.org\conkerorF0%USERPROFILE%\AppData\Roaming\Netscape\NavigatorF/%USERPROFILE%\AppData\Ro


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:43:55
                                Start date:01/07/2024
                                Path:C:\Users\user\Desktop\fOsCO13KRs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\fOsCO13KRs.exe"
                                Imagebase:0xd70000
                                File size:1'609'728 bytes
                                MD5 hash:CB98320171D36E2B913C56A4CDDFAD44
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:09:43:55
                                Start date:01/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:09:43:56
                                Start date:01/07/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                Imagebase:0xdb0000
                                File size:262'432 bytes
                                MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2329860401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2331217268.0000000003145000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2331217268.0000000003194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:24%
                                  Dynamic/Decrypted Code Coverage:1.4%
                                  Signature Coverage:9.5%
                                  Total number of Nodes:666
                                  Total number of Limit Nodes:19
                                  execution_graph 15556 56b01c8 15557 56b01de 15556->15557 15558 56b0274 15557->15558 15561 6d162d80 15557->15561 15577 6d162da0 __CreateFrameInfo 15561->15577 15562 6d169c84 CloseHandle 15562->15577 15563 6d16a3bb WriteProcessMemory 15563->15577 15564 6d168aeb CreateProcessW 15564->15577 15565 6d168c77 VirtualAlloc 15565->15577 15566 6d169bb8 WriteProcessMemory 15566->15577 15567 6d169c1d Wow64SetThreadContext ResumeThread 15567->15577 15568 6d1650c5 GetConsoleWindow ShowWindow 15585 6d1612e0 15568->15585 15570 6d1612e0 25 API calls 15570->15577 15571 6d168cba Wow64GetThreadContext 15571->15577 15572 6d1699f1 WriteProcessMemory 15572->15577 15573 6d168e85 VirtualAllocEx 15573->15577 15574 6d1699a3 ReadProcessMemory 15574->15577 15575 6d16918d WriteProcessMemory 15575->15577 15576 6d169002 WriteProcessMemory 15576->15577 15577->15562 15577->15563 15577->15564 15577->15565 15577->15566 15577->15567 15577->15568 15577->15570 15577->15571 15577->15572 15577->15573 15577->15574 15577->15575 15577->15576 15579 6d169db6 15577->15579 15584 6d169cb3 CloseHandle 15577->15584 15608 6d162970 GetModuleHandleW GetProcAddress 15577->15608 15614 6d161010 15577->15614 15618 6d16aad0 15579->15618 15581 56b04c1 15584->15577 15593 6d161308 __InternalCxxFrameHandler 15585->15593 15586 6d1618bf GetCurrentProcess 15625 6d16b6d0 15586->15625 15589 6d162275 VirtualProtect 15589->15593 15590 6d16280d CreateFileMappingA 15590->15593 15591 6d16262a FindCloseChangeNotification CloseHandle 15591->15593 15592 6d1627d1 K32GetModuleInformation 15592->15593 15593->15586 15593->15589 15593->15590 15593->15591 15593->15592 15594 6d162362 VirtualProtect 15593->15594 15595 6d16288e MapViewOfFile 15593->15595 15596 6d16294b CloseHandle 15593->15596 15597 6d161b84 GetModuleFileNameA CreateFileA 15593->15597 15598 6d162714 CloseHandle 15593->15598 15599 6d1627ab 15593->15599 15602 6d161f5d MapViewOfFile 15593->15602 15603 6d162918 CloseHandle CloseHandle 15593->15603 15604 6d161c92 CreateFileMappingA 15593->15604 15605 6d161aa7 K32GetModuleInformation 15593->15605 15606 6d161e76 CloseHandle 15593->15606 15607 6d16286d CloseHandle 15593->15607 15594->15593 15595->15593 15596->15593 15597->15593 15598->15593 15600 6d16aad0 _ValidateLocalCookies 5 API calls 15599->15600 15601 6d1627b5 15600->15601 15601->15577 15602->15593 15603->15593 15604->15593 15605->15593 15606->15593 15607->15593 15610 6d1629ce __CreateFrameInfo 15608->15610 15609 6d162a88 NtQueryInformationProcess 15609->15610 15610->15609 15611 6d162b55 15610->15611 15612 6d16aad0 _ValidateLocalCookies 5 API calls 15611->15612 15613 6d162b65 VirtualAllocEx 15612->15613 15613->15577 15615 6d161036 15614->15615 15616 6d16aad0 _ValidateLocalCookies 5 API calls 15615->15616 15617 6d161290 15616->15617 15617->15577 15619 6d16aad8 15618->15619 15620 6d16aad9 IsProcessorFeaturePresent 15618->15620 15619->15581 15622 6d16ae7e 15620->15622 15627 6d16ae41 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15622->15627 15624 6d16af61 15624->15581 15626 6d161915 GetModuleHandleA 15625->15626 15626->15593 15627->15624 15628 6d16ae1e 15629 6d16ae27 15628->15629 15630 6d16ae2c 15628->15630 15649 6d16afb0 15629->15649 15634 6d16ace8 15630->15634 15635 6d16acf4 ___scrt_is_nonwritable_in_current_image 15634->15635 15636 6d16ad1d dllmain_raw 15635->15636 15637 6d16ad18 15635->15637 15646 6d16ad03 15635->15646 15638 6d16ad37 dllmain_crt_dispatch 15636->15638 15636->15646 15653 6d16a4e0 15637->15653 15638->15637 15638->15646 15641 6d16ad89 15642 6d16ad92 dllmain_crt_dispatch 15641->15642 15641->15646 15644 6d16ada5 dllmain_raw 15642->15644 15642->15646 15643 6d16a4e0 __DllMainCRTStartup@12 5 API calls 15645 6d16ad70 15643->15645 15644->15646 15657 6d16ac38 15645->15657 15648 6d16ad7e dllmain_raw 15648->15641 15650 6d16afc6 15649->15650 15652 6d16afcf 15650->15652 15977 6d16af63 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 15650->15977 15652->15630 15654 6d16a50b 15653->15654 15655 6d16aad0 _ValidateLocalCookies 5 API calls 15654->15655 15656 6d16aa9a 15655->15656 15656->15641 15656->15643 15658 6d16ac44 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 15657->15658 15659 6d16ac75 15658->15659 15660 6d16ace0 15658->15660 15676 6d16ac4d 15658->15676 15684 6d16b14b 15659->15684 15705 6d16b31a IsProcessorFeaturePresent 15660->15705 15663 6d16ac7a 15693 6d16b007 15663->15693 15665 6d16ac7f __RTC_Initialize __DllMainCRTStartup@12 15696 6d16b2ec 15665->15696 15666 6d16ace7 ___scrt_is_nonwritable_in_current_image 15667 6d16ad1d dllmain_raw 15666->15667 15668 6d16ad03 15666->15668 15669 6d16ad18 15666->15669 15667->15668 15670 6d16ad37 dllmain_crt_dispatch 15667->15670 15668->15648 15672 6d16a4e0 __DllMainCRTStartup@12 5 API calls 15669->15672 15670->15668 15670->15669 15674 6d16ad58 15672->15674 15677 6d16ad89 15674->15677 15679 6d16a4e0 __DllMainCRTStartup@12 5 API calls 15674->15679 15676->15648 15677->15668 15678 6d16ad92 dllmain_crt_dispatch 15677->15678 15678->15668 15680 6d16ada5 dllmain_raw 15678->15680 15681 6d16ad70 15679->15681 15680->15668 15682 6d16ac38 __DllMainCRTStartup@12 81 API calls 15681->15682 15683 6d16ad7e dllmain_raw 15682->15683 15683->15677 15685 6d16b150 ___scrt_release_startup_lock 15684->15685 15686 6d16b154 15685->15686 15687 6d16b160 __DllMainCRTStartup@12 15685->15687 15709 6d16e5f3 15686->15709 15690 6d16b16d 15687->15690 15713 6d16dddb 15687->15713 15689 6d16b15e 15689->15663 15690->15663 15850 6d16bf8a InterlockedFlushSList 15693->15850 15697 6d16b2f8 15696->15697 15699 6d16ac9e 15697->15699 15857 6d16e79c 15697->15857 15702 6d16acda 15699->15702 15700 6d16b306 15862 6d16bfdf 15700->15862 15960 6d16b16e 15702->15960 15706 6d16b330 __CreateFrameInfo 15705->15706 15707 6d16b3db IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15706->15707 15708 6d16b41f __CreateFrameInfo 15707->15708 15708->15666 15710 6d16e5ff __EH_prolog3 15709->15710 15724 6d16e4be 15710->15724 15712 6d16e626 __DllMainCRTStartup@12 15712->15689 15714 6d16de08 15713->15714 15722 6d16de19 15713->15722 15795 6d16dea3 GetModuleHandleW 15714->15795 15717 6d16de57 15717->15663 15802 6d16dc8b 15722->15802 15725 6d16e4ca ___scrt_is_nonwritable_in_current_image 15724->15725 15732 6d16f1e3 EnterCriticalSection 15725->15732 15727 6d16e4d8 15733 6d16e519 15727->15733 15732->15727 15734 6d16e4e5 15733->15734 15736 6d16e538 15733->15736 15737 6d16e50d 15734->15737 15736->15734 15740 6d16f604 15736->15740 15794 6d16f22b LeaveCriticalSection 15737->15794 15739 6d16e4f6 15739->15712 15741 6d16f60f HeapFree 15740->15741 15742 6d16f639 15740->15742 15741->15742 15743 6d16f624 GetLastError 15741->15743 15742->15734 15744 6d16f631 __dosmaperr 15743->15744 15746 6d16f594 15744->15746 15749 6d16f008 GetLastError 15746->15749 15748 6d16f599 15748->15742 15750 6d16f01e 15749->15750 15751 6d16f024 15749->15751 15772 6d170ee7 15750->15772 15755 6d16f028 SetLastError 15751->15755 15777 6d170f26 15751->15777 15755->15748 15759 6d16f06e 15761 6d170f26 _unexpected 6 API calls 15759->15761 15760 6d16f05d 15762 6d170f26 _unexpected 6 API calls 15760->15762 15763 6d16f07a 15761->15763 15769 6d16f06b 15762->15769 15764 6d16f095 15763->15764 15765 6d16f07e 15763->15765 15789 6d16ecb9 15764->15789 15766 6d170f26 _unexpected 6 API calls 15765->15766 15766->15769 15767 6d16f604 ___free_lconv_mon 12 API calls 15767->15755 15769->15767 15771 6d16f604 ___free_lconv_mon 12 API calls 15771->15755 15773 6d170d85 _unexpected 5 API calls 15772->15773 15774 6d170f03 15773->15774 15775 6d170f1e TlsGetValue 15774->15775 15776 6d170f0c 15774->15776 15776->15751 15778 6d170d85 _unexpected 5 API calls 15777->15778 15779 6d170f42 15778->15779 15780 6d170f60 TlsSetValue 15779->15780 15781 6d16f040 15779->15781 15781->15755 15782 6d16f5a7 15781->15782 15787 6d16f5b4 _unexpected 15782->15787 15783 6d16f5f4 15785 6d16f594 __dosmaperr 13 API calls 15783->15785 15784 6d16f5df RtlAllocateHeap 15786 6d16f055 15784->15786 15784->15787 15785->15786 15786->15759 15786->15760 15787->15783 15787->15784 15788 6d171340 _unexpected EnterCriticalSection LeaveCriticalSection 15787->15788 15788->15787 15790 6d16eb4d _unexpected EnterCriticalSection LeaveCriticalSection 15789->15790 15791 6d16ed27 15790->15791 15792 6d16ec5f _unexpected 14 API calls 15791->15792 15793 6d16ed50 15792->15793 15793->15771 15794->15739 15796 6d16de0d 15795->15796 15796->15722 15797 6d16defe GetModuleHandleExW 15796->15797 15798 6d16df3d GetProcAddress 15797->15798 15799 6d16df51 15797->15799 15798->15799 15800 6d16df64 FreeLibrary 15799->15800 15801 6d16df6d 15799->15801 15800->15801 15801->15722 15803 6d16dc97 ___scrt_is_nonwritable_in_current_image 15802->15803 15817 6d16f1e3 EnterCriticalSection 15803->15817 15805 6d16dca1 15818 6d16dcf3 15805->15818 15807 6d16dcae 15822 6d16dccc 15807->15822 15810 6d16de72 15826 6d16dee5 15810->15826 15812 6d16de7c 15813 6d16de90 15812->15813 15814 6d16de80 GetCurrentProcess TerminateProcess 15812->15814 15815 6d16defe __CreateFrameInfo 3 API calls 15813->15815 15814->15813 15816 6d16de98 ExitProcess 15815->15816 15817->15805 15819 6d16dcff ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 15818->15819 15820 6d16e5f3 __DllMainCRTStartup@12 14 API calls 15819->15820 15821 6d16dd63 __CreateFrameInfo 15819->15821 15820->15821 15821->15807 15825 6d16f22b LeaveCriticalSection 15822->15825 15824 6d16dcba 15824->15717 15824->15810 15825->15824 15829 6d16f267 15826->15829 15828 6d16deea __CreateFrameInfo 15828->15812 15830 6d16f276 __CreateFrameInfo 15829->15830 15831 6d16f283 15830->15831 15833 6d170e0a 15830->15833 15831->15828 15836 6d170d85 15833->15836 15835 6d170e26 15835->15831 15837 6d170db5 15836->15837 15841 6d170db1 _unexpected 15836->15841 15837->15841 15842 6d170cba 15837->15842 15840 6d170dcf GetProcAddress 15840->15841 15841->15835 15848 6d170ccb ___vcrt_FlsFree 15842->15848 15843 6d170d61 15843->15840 15843->15841 15844 6d170ce9 LoadLibraryExW 15845 6d170d04 GetLastError 15844->15845 15846 6d170d68 15844->15846 15845->15848 15846->15843 15847 6d170d7a FreeLibrary 15846->15847 15847->15843 15848->15843 15848->15844 15849 6d170d37 LoadLibraryExW 15848->15849 15849->15846 15849->15848 15851 6d16bf9a 15850->15851 15852 6d16b011 15850->15852 15851->15852 15854 6d16e81a 15851->15854 15852->15665 15855 6d16f604 ___free_lconv_mon 14 API calls 15854->15855 15856 6d16e832 15855->15856 15856->15851 15858 6d16e7a7 15857->15858 15859 6d16e7b9 ___scrt_uninitialize_crt 15857->15859 15860 6d16e7b5 15858->15860 15868 6d1719d5 15858->15868 15859->15700 15860->15700 15863 6d16bff2 15862->15863 15864 6d16bfe8 15862->15864 15863->15699 15935 6d16c461 15864->15935 15871 6d171866 15868->15871 15874 6d1717ba 15871->15874 15875 6d1717c6 ___scrt_is_nonwritable_in_current_image 15874->15875 15882 6d16f1e3 EnterCriticalSection 15875->15882 15877 6d1717d0 ___scrt_uninitialize_crt 15878 6d17183c 15877->15878 15883 6d17172e 15877->15883 15891 6d17185a 15878->15891 15882->15877 15884 6d17173a ___scrt_is_nonwritable_in_current_image 15883->15884 15894 6d171af2 EnterCriticalSection 15884->15894 15886 6d17177d 15906 6d1717ae 15886->15906 15887 6d171744 ___scrt_uninitialize_crt 15887->15886 15895 6d171970 15887->15895 15934 6d16f22b LeaveCriticalSection 15891->15934 15893 6d171848 15893->15860 15894->15887 15896 6d171985 ___std_exception_copy 15895->15896 15897 6d171997 15896->15897 15898 6d17198c 15896->15898 15909 6d171907 15897->15909 15900 6d171866 ___scrt_uninitialize_crt 68 API calls 15898->15900 15905 6d171992 ___std_exception_copy 15900->15905 15903 6d1719b8 15922 6d173005 15903->15922 15905->15886 15933 6d171b06 LeaveCriticalSection 15906->15933 15908 6d17179c 15908->15877 15910 6d171920 15909->15910 15911 6d171947 15909->15911 15910->15911 15912 6d171d57 ___scrt_uninitialize_crt 29 API calls 15910->15912 15911->15905 15915 6d171d57 15911->15915 15913 6d17193c 15912->15913 15914 6d173824 ___scrt_uninitialize_crt 64 API calls 15913->15914 15914->15911 15916 6d171d63 15915->15916 15917 6d171d78 15915->15917 15918 6d16f594 __dosmaperr 14 API calls 15916->15918 15917->15903 15919 6d171d68 15918->15919 15920 6d16f4b3 ___std_exception_copy 29 API calls 15919->15920 15921 6d171d73 15920->15921 15921->15903 15923 6d173016 15922->15923 15924 6d173023 15922->15924 15926 6d16f594 __dosmaperr 14 API calls 15923->15926 15925 6d17306c 15924->15925 15928 6d17304a 15924->15928 15927 6d16f594 __dosmaperr 14 API calls 15925->15927 15932 6d17301b 15926->15932 15929 6d173071 15927->15929 15930 6d172f63 ___scrt_uninitialize_crt 33 API calls 15928->15930 15931 6d16f4b3 ___std_exception_copy 29 API calls 15929->15931 15930->15932 15931->15932 15932->15905 15933->15908 15934->15893 15936 6d16c46b 15935->15936 15937 6d16bfed 15935->15937 15943 6d16c9f8 15936->15943 15939 6d16c4b8 15937->15939 15940 6d16c4e2 15939->15940 15941 6d16c4c3 15939->15941 15940->15863 15942 6d16c4cd DeleteCriticalSection 15941->15942 15942->15940 15942->15942 15948 6d16c8d2 15943->15948 15946 6d16ca2a TlsFree 15947 6d16ca1e 15946->15947 15947->15937 15949 6d16c8f3 15948->15949 15950 6d16c8ef 15948->15950 15949->15950 15951 6d16c95b GetProcAddress 15949->15951 15953 6d16c94c 15949->15953 15955 6d16c972 LoadLibraryExW 15949->15955 15950->15946 15950->15947 15951->15950 15953->15951 15954 6d16c954 FreeLibrary 15953->15954 15954->15951 15956 6d16c9b9 15955->15956 15957 6d16c989 GetLastError 15955->15957 15956->15949 15957->15956 15958 6d16c994 ___vcrt_FlsFree 15957->15958 15958->15956 15959 6d16c9aa LoadLibraryExW 15958->15959 15959->15949 15965 6d16e7cc 15960->15965 15963 6d16c461 ___vcrt_uninitialize_ptd 6 API calls 15964 6d16acdf 15963->15964 15964->15676 15968 6d16f188 15965->15968 15969 6d16f192 15968->15969 15970 6d16b175 15968->15970 15972 6d170ea8 15969->15972 15970->15963 15973 6d170d85 _unexpected 5 API calls 15972->15973 15974 6d170ec4 15973->15974 15975 6d170edf TlsFree 15974->15975 15976 6d170ecd 15974->15976 15976->15970 15977->15652 15978 6d16aade 15979 6d16ab1c 15978->15979 15980 6d16aae9 15978->15980 15983 6d16ac38 __DllMainCRTStartup@12 86 API calls 15979->15983 15981 6d16ab0e 15980->15981 15982 6d16aaee 15980->15982 15990 6d16ab31 15981->15990 15984 6d16ab04 15982->15984 15985 6d16aaf3 15982->15985 15989 6d16aaf8 15983->15989 16009 6d16b0eb 15984->16009 15985->15989 16004 6d16b10a 15985->16004 15991 6d16ab3d ___scrt_is_nonwritable_in_current_image 15990->15991 16017 6d16b17b 15991->16017 15993 6d16ab44 __DllMainCRTStartup@12 15994 6d16ac30 15993->15994 15995 6d16ab6b 15993->15995 16001 6d16aba7 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 15993->16001 15997 6d16b31a __DllMainCRTStartup@12 4 API calls 15994->15997 16028 6d16b0dd 15995->16028 15998 6d16ac37 15997->15998 15999 6d16ab7a __RTC_Initialize 15999->16001 16031 6d16affb InitializeSListHead 15999->16031 16001->15989 16002 6d16ab88 16002->16001 16032 6d16b0b2 16002->16032 16176 6d16e794 16004->16176 16379 6d16bfcc 16009->16379 16012 6d16b0f4 16012->15989 16015 6d16b107 16015->15989 16016 6d16bfd7 21 API calls 16016->16012 16018 6d16b184 16017->16018 16036 6d16b4d8 IsProcessorFeaturePresent 16018->16036 16022 6d16b195 16023 6d16b199 16022->16023 16046 6d16e777 16022->16046 16023->15993 16026 6d16b1b0 16026->15993 16027 6d16bfdf ___scrt_uninitialize_crt 7 API calls 16027->16023 16170 6d16b1b4 16028->16170 16030 6d16b0e4 16030->15999 16031->16002 16033 6d16b0b7 ___scrt_release_startup_lock 16032->16033 16034 6d16b4d8 IsProcessorFeaturePresent 16033->16034 16035 6d16b0c0 16033->16035 16034->16035 16035->16001 16037 6d16b190 16036->16037 16038 6d16bfad 16037->16038 16049 6d16c47c 16038->16049 16041 6d16bfb6 16041->16022 16043 6d16bfbe 16044 6d16bfc9 16043->16044 16045 6d16c4b8 ___vcrt_uninitialize_locks DeleteCriticalSection 16043->16045 16044->16022 16045->16041 16078 6d171298 16046->16078 16051 6d16c485 16049->16051 16052 6d16c4ae 16051->16052 16053 6d16bfb2 16051->16053 16063 6d16caac 16051->16063 16054 6d16c4b8 ___vcrt_uninitialize_locks DeleteCriticalSection 16052->16054 16053->16041 16055 6d16c42e 16053->16055 16054->16053 16068 6d16c9bd 16055->16068 16060 6d16c45e 16060->16043 16061 6d16c461 ___vcrt_uninitialize_ptd 6 API calls 16062 6d16c443 16061->16062 16062->16043 16064 6d16c8d2 ___vcrt_FlsFree 5 API calls 16063->16064 16065 6d16cac6 16064->16065 16066 6d16cae4 InitializeCriticalSectionAndSpinCount 16065->16066 16067 6d16cacf 16065->16067 16066->16067 16067->16051 16069 6d16c8d2 ___vcrt_FlsFree 5 API calls 16068->16069 16070 6d16c9d7 16069->16070 16071 6d16c9f0 TlsAlloc 16070->16071 16072 6d16c438 16070->16072 16072->16062 16073 6d16ca6e 16072->16073 16074 6d16c8d2 ___vcrt_FlsFree 5 API calls 16073->16074 16075 6d16ca88 16074->16075 16076 6d16caa3 TlsSetValue 16075->16076 16077 6d16c451 16075->16077 16076->16077 16077->16060 16077->16061 16079 6d1712a8 16078->16079 16080 6d16b1a2 16078->16080 16079->16080 16083 6d17115c 16079->16083 16088 6d17120c 16079->16088 16080->16026 16080->16027 16087 6d171163 16083->16087 16084 6d1711a6 GetStdHandle 16084->16087 16085 6d171208 16085->16079 16086 6d1711b9 GetFileType 16086->16087 16087->16084 16087->16085 16087->16086 16089 6d171218 ___scrt_is_nonwritable_in_current_image 16088->16089 16100 6d16f1e3 EnterCriticalSection 16089->16100 16091 6d17121f 16101 6d172d84 16091->16101 16094 6d17123d 16120 6d171263 16094->16120 16099 6d17115c 2 API calls 16099->16094 16100->16091 16102 6d172d90 ___scrt_is_nonwritable_in_current_image 16101->16102 16103 6d172dba 16102->16103 16104 6d172d99 16102->16104 16123 6d16f1e3 EnterCriticalSection 16103->16123 16105 6d16f594 __dosmaperr 14 API calls 16104->16105 16107 6d172d9e 16105->16107 16131 6d16f4b3 16107->16131 16108 6d172dc6 16113 6d172df2 16108->16113 16124 6d172cd4 16108->16124 16110 6d17122e 16110->16094 16114 6d1710a6 GetStartupInfoW 16110->16114 16134 6d172e19 16113->16134 16115 6d1710c3 16114->16115 16117 6d171157 16114->16117 16116 6d172d84 30 API calls 16115->16116 16115->16117 16118 6d1710eb 16116->16118 16117->16099 16118->16117 16119 6d17111b GetFileType 16118->16119 16119->16118 16169 6d16f22b LeaveCriticalSection 16120->16169 16122 6d17124e 16122->16079 16123->16108 16125 6d16f5a7 _unexpected 14 API calls 16124->16125 16130 6d172ce6 16125->16130 16126 6d172cf3 16127 6d16f604 ___free_lconv_mon 14 API calls 16126->16127 16129 6d172d48 16127->16129 16129->16108 16130->16126 16137 6d170f68 16130->16137 16142 6d16f3ff 16131->16142 16133 6d16f4bf 16133->16110 16168 6d16f22b LeaveCriticalSection 16134->16168 16136 6d172e20 16136->16110 16138 6d170d85 _unexpected 5 API calls 16137->16138 16139 6d170f84 16138->16139 16140 6d170fa2 InitializeCriticalSectionAndSpinCount 16139->16140 16141 6d170f8d 16139->16141 16140->16141 16141->16130 16143 6d16f411 ___std_exception_copy 16142->16143 16146 6d16f436 16143->16146 16145 6d16f429 ___std_exception_copy 16145->16133 16147 6d16f446 16146->16147 16148 6d16f44d 16146->16148 16157 6d16e980 GetLastError 16147->16157 16153 6d16f45b 16148->16153 16161 6d16f28e 16148->16161 16151 6d16f482 16151->16153 16164 6d16f4c3 IsProcessorFeaturePresent 16151->16164 16153->16145 16154 6d16f4b2 16155 6d16f3ff ___std_exception_copy 29 API calls 16154->16155 16156 6d16f4bf 16155->16156 16156->16145 16158 6d16e999 16157->16158 16159 6d16f0b9 ___std_exception_copy 14 API calls 16158->16159 16160 6d16e9b5 SetLastError 16159->16160 16160->16148 16162 6d16f2b2 16161->16162 16163 6d16f299 GetLastError SetLastError 16161->16163 16162->16151 16163->16151 16165 6d16f4cf 16164->16165 16166 6d16f2b7 __CreateFrameInfo 8 API calls 16165->16166 16167 6d16f4e4 GetCurrentProcess TerminateProcess 16166->16167 16167->16154 16168->16136 16169->16122 16171 6d16b1c0 16170->16171 16172 6d16b1c4 16170->16172 16171->16030 16173 6d16b31a __DllMainCRTStartup@12 4 API calls 16172->16173 16175 6d16b1d1 ___scrt_release_startup_lock 16172->16175 16174 6d16b23a 16173->16174 16175->16030 16182 6d16ee8b 16176->16182 16179 6d16bfd7 16362 6d16c363 16179->16362 16183 6d16b10f 16182->16183 16184 6d16ee95 16182->16184 16183->16179 16185 6d170ee7 _unexpected 6 API calls 16184->16185 16186 6d16ee9c 16185->16186 16186->16183 16187 6d170f26 _unexpected 6 API calls 16186->16187 16188 6d16eeaf 16187->16188 16190 6d16ed52 16188->16190 16191 6d16ed5d 16190->16191 16195 6d16ed6d 16190->16195 16196 6d16ed73 16191->16196 16194 6d16f604 ___free_lconv_mon 14 API calls 16194->16195 16195->16183 16197 6d16ed8e 16196->16197 16198 6d16ed88 16196->16198 16200 6d16f604 ___free_lconv_mon 14 API calls 16197->16200 16199 6d16f604 ___free_lconv_mon 14 API calls 16198->16199 16199->16197 16201 6d16ed9a 16200->16201 16202 6d16f604 ___free_lconv_mon 14 API calls 16201->16202 16203 6d16eda5 16202->16203 16204 6d16f604 ___free_lconv_mon 14 API calls 16203->16204 16205 6d16edb0 16204->16205 16206 6d16f604 ___free_lconv_mon 14 API calls 16205->16206 16207 6d16edbb 16206->16207 16208 6d16f604 ___free_lconv_mon 14 API calls 16207->16208 16209 6d16edc6 16208->16209 16210 6d16f604 ___free_lconv_mon 14 API calls 16209->16210 16211 6d16edd1 16210->16211 16212 6d16f604 ___free_lconv_mon 14 API calls 16211->16212 16213 6d16eddc 16212->16213 16214 6d16f604 ___free_lconv_mon 14 API calls 16213->16214 16215 6d16ede7 16214->16215 16216 6d16f604 ___free_lconv_mon 14 API calls 16215->16216 16217 6d16edf5 16216->16217 16222 6d16eb9f 16217->16222 16223 6d16ebab ___scrt_is_nonwritable_in_current_image 16222->16223 16238 6d16f1e3 EnterCriticalSection 16223->16238 16225 6d16ebdf 16239 6d16ebfe 16225->16239 16228 6d16ebb5 16228->16225 16229 6d16f604 ___free_lconv_mon 14 API calls 16228->16229 16229->16225 16230 6d16ec0a 16231 6d16ec16 ___scrt_is_nonwritable_in_current_image 16230->16231 16243 6d16f1e3 EnterCriticalSection 16231->16243 16233 6d16ec20 16244 6d16ee40 16233->16244 16235 6d16ec33 16248 6d16ec53 16235->16248 16238->16228 16242 6d16f22b LeaveCriticalSection 16239->16242 16241 6d16ebec 16241->16230 16242->16241 16243->16233 16245 6d16ee76 _unexpected 16244->16245 16246 6d16ee4f _unexpected 16244->16246 16245->16235 16246->16245 16251 6d171e9b 16246->16251 16361 6d16f22b LeaveCriticalSection 16248->16361 16250 6d16ec41 16250->16194 16252 6d171f1b 16251->16252 16254 6d171eb1 16251->16254 16255 6d16f604 ___free_lconv_mon 14 API calls 16252->16255 16277 6d171f69 16252->16277 16254->16252 16258 6d16f604 ___free_lconv_mon 14 API calls 16254->16258 16272 6d171ee4 16254->16272 16256 6d171f3d 16255->16256 16257 6d16f604 ___free_lconv_mon 14 API calls 16256->16257 16259 6d171f50 16257->16259 16263 6d171ed9 16258->16263 16265 6d16f604 ___free_lconv_mon 14 API calls 16259->16265 16260 6d16f604 ___free_lconv_mon 14 API calls 16261 6d171f10 16260->16261 16266 6d16f604 ___free_lconv_mon 14 API calls 16261->16266 16262 6d171fd7 16267 6d16f604 ___free_lconv_mon 14 API calls 16262->16267 16279 6d173e16 16263->16279 16264 6d16f604 ___free_lconv_mon 14 API calls 16269 6d171efb 16264->16269 16270 6d171f5e 16265->16270 16266->16252 16271 6d171fdd 16267->16271 16307 6d173f14 16269->16307 16274 6d16f604 ___free_lconv_mon 14 API calls 16270->16274 16271->16245 16272->16264 16276 6d171f06 16272->16276 16274->16277 16275 6d16f604 14 API calls ___free_lconv_mon 16278 6d171f77 16275->16278 16276->16260 16319 6d17200c 16277->16319 16278->16262 16278->16275 16280 6d173e27 16279->16280 16306 6d173f10 16279->16306 16281 6d173e38 16280->16281 16282 6d16f604 ___free_lconv_mon 14 API calls 16280->16282 16283 6d173e4a 16281->16283 16284 6d16f604 ___free_lconv_mon 14 API calls 16281->16284 16282->16281 16285 6d173e5c 16283->16285 16286 6d16f604 ___free_lconv_mon 14 API calls 16283->16286 16284->16283 16287 6d173e6e 16285->16287 16288 6d16f604 ___free_lconv_mon 14 API calls 16285->16288 16286->16285 16289 6d173e80 16287->16289 16290 6d16f604 ___free_lconv_mon 14 API calls 16287->16290 16288->16287 16291 6d173e92 16289->16291 16292 6d16f604 ___free_lconv_mon 14 API calls 16289->16292 16290->16289 16293 6d173ea4 16291->16293 16294 6d16f604 ___free_lconv_mon 14 API calls 16291->16294 16292->16291 16295 6d16f604 ___free_lconv_mon 14 API calls 16293->16295 16296 6d173eb6 16293->16296 16294->16293 16295->16296 16297 6d173ec8 16296->16297 16298 6d16f604 ___free_lconv_mon 14 API calls 16296->16298 16299 6d173eda 16297->16299 16300 6d16f604 ___free_lconv_mon 14 API calls 16297->16300 16298->16297 16301 6d173eec 16299->16301 16302 6d16f604 ___free_lconv_mon 14 API calls 16299->16302 16300->16299 16303 6d173efe 16301->16303 16304 6d16f604 ___free_lconv_mon 14 API calls 16301->16304 16302->16301 16305 6d16f604 ___free_lconv_mon 14 API calls 16303->16305 16303->16306 16304->16303 16305->16306 16306->16272 16308 6d173f79 16307->16308 16310 6d173f21 16307->16310 16308->16276 16309 6d173f31 16312 6d173f43 16309->16312 16313 6d16f604 ___free_lconv_mon 14 API calls 16309->16313 16310->16309 16311 6d16f604 ___free_lconv_mon 14 API calls 16310->16311 16311->16309 16314 6d173f55 16312->16314 16315 6d16f604 ___free_lconv_mon 14 API calls 16312->16315 16313->16312 16316 6d173f67 16314->16316 16317 6d16f604 ___free_lconv_mon 14 API calls 16314->16317 16315->16314 16316->16308 16318 6d16f604 ___free_lconv_mon 14 API calls 16316->16318 16317->16316 16318->16308 16320 6d172019 16319->16320 16324 6d172038 16319->16324 16320->16324 16325 6d173fa2 16320->16325 16323 6d16f604 ___free_lconv_mon 14 API calls 16323->16324 16324->16278 16326 6d172032 16325->16326 16327 6d173fb3 16325->16327 16326->16323 16328 6d173f7d _unexpected 14 API calls 16327->16328 16329 6d173fbb 16328->16329 16330 6d173f7d _unexpected 14 API calls 16329->16330 16331 6d173fc6 16330->16331 16332 6d173f7d _unexpected 14 API calls 16331->16332 16333 6d173fd1 16332->16333 16334 6d173f7d _unexpected 14 API calls 16333->16334 16335 6d173fdc 16334->16335 16336 6d173f7d _unexpected 14 API calls 16335->16336 16337 6d173fea 16336->16337 16338 6d16f604 ___free_lconv_mon 14 API calls 16337->16338 16339 6d173ff5 16338->16339 16340 6d16f604 ___free_lconv_mon 14 API calls 16339->16340 16341 6d174000 16340->16341 16342 6d16f604 ___free_lconv_mon 14 API calls 16341->16342 16343 6d17400b 16342->16343 16344 6d173f7d _unexpected 14 API calls 16343->16344 16345 6d174019 16344->16345 16346 6d173f7d _unexpected 14 API calls 16345->16346 16347 6d174027 16346->16347 16348 6d173f7d _unexpected 14 API calls 16347->16348 16349 6d174038 16348->16349 16350 6d173f7d _unexpected 14 API calls 16349->16350 16351 6d174046 16350->16351 16352 6d173f7d _unexpected 14 API calls 16351->16352 16353 6d174054 16352->16353 16354 6d16f604 ___free_lconv_mon 14 API calls 16353->16354 16355 6d17405f 16354->16355 16356 6d16f604 ___free_lconv_mon 14 API calls 16355->16356 16357 6d17406a 16356->16357 16358 6d16f604 ___free_lconv_mon 14 API calls 16357->16358 16359 6d174075 16358->16359 16360 6d16f604 ___free_lconv_mon 14 API calls 16359->16360 16360->16326 16361->16250 16363 6d16b114 16362->16363 16364 6d16c36d 16362->16364 16363->15989 16370 6d16ca33 16364->16370 16367 6d16ca6e ___vcrt_FlsSetValue 6 API calls 16368 6d16c383 16367->16368 16375 6d16c347 16368->16375 16371 6d16c8d2 ___vcrt_FlsFree 5 API calls 16370->16371 16372 6d16ca4d 16371->16372 16373 6d16ca65 TlsGetValue 16372->16373 16374 6d16c374 16372->16374 16373->16374 16374->16367 16376 6d16c351 16375->16376 16377 6d16c35e 16375->16377 16376->16377 16378 6d16e81a ___std_exception_copy 14 API calls 16376->16378 16377->16363 16378->16377 16385 6d16c39c 16379->16385 16381 6d16b0f0 16381->16012 16382 6d16e789 16381->16382 16383 6d16f008 __dosmaperr 14 API calls 16382->16383 16384 6d16b0fc 16383->16384 16384->16015 16384->16016 16386 6d16c3a5 16385->16386 16387 6d16c3a8 GetLastError 16385->16387 16386->16381 16388 6d16ca33 ___vcrt_FlsGetValue 6 API calls 16387->16388 16389 6d16c3bd 16388->16389 16390 6d16c3dc 16389->16390 16391 6d16c422 SetLastError 16389->16391 16392 6d16ca6e ___vcrt_FlsSetValue 6 API calls 16389->16392 16390->16391 16391->16381 16393 6d16c3d6 __CreateFrameInfo 16392->16393 16393->16390 16394 6d16c3fe 16393->16394 16395 6d16ca6e ___vcrt_FlsSetValue 6 API calls 16393->16395 16396 6d16ca6e ___vcrt_FlsSetValue 6 API calls 16394->16396 16397 6d16c412 16394->16397 16395->16394 16396->16397 16398 6d16e81a ___std_exception_copy 14 API calls 16397->16398 16398->16390 16399 56b0840 16400 56b0881 FindCloseChangeNotification 16399->16400 16401 56b08ae 16400->16401 16402 307f448 16403 307f48e LoadLibraryW 16402->16403 16405 307f4c7 16403->16405

                                  Executed Functions

                                  Function 6D162D80 Relevance: 75.3, APIs: 17, Strings: 22, Instructions: 7021injectionmemorythreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Memory$Write$AllocThreadVirtual$ContextWindowWow64$CloseConsoleCreateHandleReadResumeShow
                                  • String ID: "+_l$"hI$&~&$)jp^$)jp^$*vX?$*vX?$?I>>$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$EZR4$\$A$]QG$kernel32.dll$ntdll.dll$s*R.$wr4?$wr4?$K6$M[
                                  • API String ID: 3560762731-778952718
                                  • Opcode ID: 07083b02f6e0b3ed71ab06f8fdeb43a6b2d8dca32676ba14a15b683d09dac25f
                                  • Instruction ID: caf430cffda6bc92f34f6ebd5cc0d0972c8f1214cd4690d644d2ef14717a6281
                                  • Opcode Fuzzy Hash: 07083b02f6e0b3ed71ab06f8fdeb43a6b2d8dca32676ba14a15b683d09dac25f
                                  • Instruction Fuzzy Hash: FDD34532A9426BCFCB21CE2CD994BE9B7F1EB46300F01C1D5D41897698D7F59988AF60
                                  Function 6D1612E0 Relevance: 46.8, APIs: 20, Strings: 6, Instructions: 1347filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$Handle$File$Module$CreateInformationView$ChangeFindMappingNameNotificationProtectVirtual
                                  • String ID: .text$:M#~$:M#~$@$\Rw`$\Rw`
                                  • API String ID: 3904415148-1809350529
                                  • Opcode ID: 80d8abba01aa2c01578d2ecee9f4040fcea6ec2486ebd7c16c8298452655ab56
                                  • Instruction ID: 057df810612d18b402d8a8bd9efd78835ae984fc157bd2f963d9c27f71e6fe8f
                                  • Opcode Fuzzy Hash: 80d8abba01aa2c01578d2ecee9f4040fcea6ec2486ebd7c16c8298452655ab56
                                  • Instruction Fuzzy Hash: 68B20B72A142A18FDF24CF2CC9A4BD97BF1BB46314F018199D94DEB358C6B98A84CF51
                                  Function 0307107F Relevance: 17.3, Strings: 8, Instructions: 7335COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [ 1$/2+;$0.0j$1T*r$9b8M$3$K${
                                  • API String ID: 0-1622119020
                                  • Opcode ID: bcb2fc7cfb6b0d9357c752c8330232f4aafa6dc1889867f061fff88170905a28
                                  • Instruction ID: ddfbd55ebdee478443395b3a0034068d65d4aeeb1aa5c85f1a53c5c3e64f115a
                                  • Opcode Fuzzy Hash: bcb2fc7cfb6b0d9357c752c8330232f4aafa6dc1889867f061fff88170905a28
                                  • Instruction Fuzzy Hash: 0FE32875F022299FDB58DF69C840A9DB7F7EB98210F5581EAD409E7350DB31AE828F40
                                  Function 030710B0 Relevance: 17.3, Strings: 8, Instructions: 7316COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [ 1$/2+;$0.0j$1T*r$9b8M$3$K${
                                  • API String ID: 0-1622119020
                                  • Opcode ID: 131192274aab18d681ebeea8baf308d0b319d9d00b014420f4cc131f5c84e817
                                  • Instruction ID: e0036aaeeebd00f0507149b4a2e84e88ccd74209e30339ac3b5774f13184fbab
                                  • Opcode Fuzzy Hash: 131192274aab18d681ebeea8baf308d0b319d9d00b014420f4cc131f5c84e817
                                  • Instruction Fuzzy Hash: D3E31875F022299FDB58DF69C840A9DB7F7EB98210F5581EAD409E7350DB31AE828F40
                                  Function 6D162970 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122librarynativeloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3254 6d162970-6d1629ce GetModuleHandleW GetProcAddress call 6d16b6d0 3257 6d1629d5-6d1629e0 3254->3257 3258 6d1629e6-6d1629f3 3257->3258 3259 6d162b37-6d162b3e 3257->3259 3262 6d162a88-6d162acf NtQueryInformationProcess 3258->3262 3263 6d1629f9-6d162a06 3258->3263 3260 6d162b6e 3259->3260 3260->3257 3262->3260 3265 6d162ad4-6d162aea 3263->3265 3266 6d162a0c-6d162a19 3263->3266 3265->3260 3268 6d162a1f-6d162a2c 3266->3268 3269 6d162b18-6d162b1f 3266->3269 3271 6d162a32-6d162a3f 3268->3271 3272 6d162b43-6d162b50 3268->3272 3269->3260 3274 6d162b55-6d162b6d call 6d16aad0 3271->3274 3275 6d162a45-6d162a52 3271->3275 3272->3260 3279 6d162b04-6d162b13 3275->3279 3280 6d162a58-6d162a65 3275->3280 3279->3260 3282 6d162b24-6d162b32 3280->3282 3283 6d162a6b-6d162a78 3280->3283 3282->3260 3285 6d162a7e-6d162a83 3283->3285 3286 6d162aef-6d162aff 3283->3286 3285->3260 3286->3260
                                  APIs
                                  • GetModuleHandleW.KERNEL32 ref: 6D16298D
                                  • GetProcAddress.KERNEL32 ref: 6D1629A5
                                  • NtQueryInformationProcess.NTDLL ref: 6D162AB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleInformationModuleProcProcessQuery
                                  • String ID: .Eh$8#k:$NtQueryInformationProcess$ntdll.dll
                                  • API String ID: 3384173408-274043608
                                  • Opcode ID: 31979119c23f186b3939651eea714bc311bae716f948ee36b9f1ad4b45a4d4f4
                                  • Instruction ID: 4237bda451f12dad3699138cc086afffcdf6918b9f45cbd9cf3ca631db465728
                                  • Opcode Fuzzy Hash: 31979119c23f186b3939651eea714bc311bae716f948ee36b9f1ad4b45a4d4f4
                                  • Instruction Fuzzy Hash: 80517871918299DFCB25CFACD580AAEBBF0FB09300F01851AE455BB258DBF49954CF62
                                  Function 0307C560 Relevance: 4.4, Strings: 2, Instructions: 1883COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "m$5<'
                                  • API String ID: 0-897616773
                                  • Opcode ID: aad24ef675e576ee8ff67b74de27118fc517ed5255c3982f2213048807541d57
                                  • Instruction ID: 1c62e13496839e96e12d459ff8aa8d3bc820179fdb04318c47773bf0a7f29ac9
                                  • Opcode Fuzzy Hash: aad24ef675e576ee8ff67b74de27118fc517ed5255c3982f2213048807541d57
                                  • Instruction Fuzzy Hash: 98F25975A412198FDB64CF69C8D8A99B7F2BF88300F1981E9E509EB361DB319D85CF40
                                  Function 03079080 Relevance: 4.0, Strings: 3, Instructions: 297COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3696 3079080-3079093 3697 3079095-307910d 3696->3697 3703 3079131-307914f 3697->3703 3704 307910f-3079111 3697->3704 3708 3079155-3079160 3703->3708 3704->3703 3705 3079113-3079129 3704->3705 3705->3703 3711 3079166-3079170 3708->3711 3712 30794ad-30794b4 3708->3712 3714 3079173-30791ae 3711->3714 3712->3697 3713 30794ba-30794c1 3712->3713 3714->3714 3715 30791b0-30791c8 3714->3715 3716 3079454-3079460 3715->3716 3717 30791ce-30791d5 3715->3717 3716->3697 3719 3079466-3079474 3716->3719 3717->3697 3718 30791db-3079209 3717->3718 3718->3714 3720 307920f-307923e 3718->3720 3719->3712 3721 3079476-3079489 3719->3721 3720->3697 3722 3079244-3079265 3720->3722 3721->3714 3723 307948f-30794a5 3721->3723 3722->3716 3724 307926b-30792eb 3722->3724 3723->3712 3724->3718 3730 30792f1-307935f 3724->3730 3730->3714 3733 3079365 3730->3733 3734 3079420-3079447 3733->3734 3735 307944d 3734->3735 3736 307936a-30793c7 3734->3736 3735->3716 3737 30794c2-30794d5 3736->3737 3738 30793cd-30793ef 3736->3738 3738->3714 3739 30793f5-3079419 3738->3739 3739->3734
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: '!#$+ $C$2/`
                                  • API String ID: 0-211547892
                                  • Opcode ID: 05a1b7acee762d2816a7155c40d2531373a1c58452801e762143c0a5fda7df86
                                  • Instruction ID: 0d0cd4b7f473950dea883c9d0df9f70f64443336c3590b8db945902c69531cef
                                  • Opcode Fuzzy Hash: 05a1b7acee762d2816a7155c40d2531373a1c58452801e762143c0a5fda7df86
                                  • Instruction Fuzzy Hash: 15D11575E01209CFDB58CFA9D5846EEB7F2BB88310B2481AAD405BB351D732AE15CF64
                                  Function 03079070 Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3804 3079070-3079093 3806 3079095-307910d 3804->3806 3812 3079131-3079145 3806->3812 3813 307910f-3079111 3806->3813 3815 307914b-307914f 3812->3815 3813->3812 3814 3079113-3079129 3813->3814 3814->3812 3817 3079155-3079160 3815->3817 3820 3079166-3079170 3817->3820 3821 30794ad-30794b4 3817->3821 3823 3079173-30791ae 3820->3823 3821->3806 3822 30794ba-30794c1 3821->3822 3823->3823 3824 30791b0-30791c8 3823->3824 3825 3079454-3079460 3824->3825 3826 30791ce-30791d5 3824->3826 3825->3806 3828 3079466-3079474 3825->3828 3826->3806 3827 30791db-3079209 3826->3827 3827->3823 3829 307920f-307923e 3827->3829 3828->3821 3830 3079476-3079489 3828->3830 3829->3806 3831 3079244-3079265 3829->3831 3830->3823 3832 307948f-30794a5 3830->3832 3831->3825 3833 307926b-30792eb 3831->3833 3832->3821 3833->3827 3839 30792f1-307935f 3833->3839 3839->3823 3842 3079365 3839->3842 3843 3079420-3079447 3842->3843 3844 307944d 3843->3844 3845 307936a-30793c7 3843->3845 3844->3825 3846 30794c2-30794d5 3845->3846 3847 30793cd-30793ef 3845->3847 3847->3823 3848 30793f5-3079419 3847->3848 3848->3843
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: '!#$+ $C
                                  • API String ID: 0-2421744520
                                  • Opcode ID: 91736d2f17e1d50e3c2452ac78a0e65b0aebc25809d5d8e54918d95005e1b267
                                  • Instruction ID: 62a643bfc1c56b15504f68221ab719a1e38588ff605d0e3d21008fffb2ba918c
                                  • Opcode Fuzzy Hash: 91736d2f17e1d50e3c2452ac78a0e65b0aebc25809d5d8e54918d95005e1b267
                                  • Instruction Fuzzy Hash: AAB10474E012098FCB58CFA9D5946EDB7F2BB88210B2481AAD405FB355E732AE15CF64
                                  Function 0307B0F0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3894 307b0f0-307b11a 3895 307b11d-307b13c 3894->3895 3897 307b13e-307b185 call 30799f0 3895->3897 3902 307b18b-307b1bc call 30799f0 3897->3902 3903 307b20a-307b20f 3897->3903 3902->3895 3911 307b1c2-307b1e3 call 30799f0 3902->3911 3904 307b211-307b217 3903->3904 3905 307b24d-307b259 3903->3905 3907 307b1e5-307b204 3904->3907 3908 307b219-307b232 3904->3908 3905->3897 3910 307b25f-307b278 3905->3910 3907->3895 3907->3903 3908->3905 3917 307b234-307b23a 3908->3917 3929 307b27b call 307b500 3910->3929 3930 307b27b call 307b590 3910->3930 3931 307b27b call 307b5c0 3910->3931 3932 307b27b call 307b4f0 3910->3932 3911->3907 3912 307b281-307b2aa 3920 307b2ac-307b2b2 3912->3920 3921 307b2fb-307b314 3912->3921 3917->3895 3919 307b240-307b24a 3917->3919 3919->3905 3920->3895 3922 307b2b8-307b2f5 3920->3922 3921->3895 3923 307b31a-307b345 3921->3923 3922->3921 3923->3895 3927 307b34b-307b352 3923->3927 3929->3912 3930->3912 3931->3912 3932->3912
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 43=.
                                  • API String ID: 0-3458117202
                                  • Opcode ID: f72d0594218c5318f30a89429459abf1f37a59d79ed35eff75ddc94db7848b88
                                  • Instruction ID: 53256708e36ef19fcd9bbd4ac3635cf358482a6b6bc2f83e0cf3496b683b0a4d
                                  • Opcode Fuzzy Hash: f72d0594218c5318f30a89429459abf1f37a59d79ed35eff75ddc94db7848b88
                                  • Instruction Fuzzy Hash: 6A518276E012298FCB58DFACC45459EF7F6AF88251B1A81AADD05EB360DB358C41CBD0
                                  Function 0307B100 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3933 307b100-307b11a 3934 307b11d-307b13c 3933->3934 3936 307b13e-307b185 call 30799f0 3934->3936 3941 307b18b-307b1bc call 30799f0 3936->3941 3942 307b20a-307b20f 3936->3942 3941->3934 3950 307b1c2-307b1e3 call 30799f0 3941->3950 3943 307b211-307b217 3942->3943 3944 307b24d-307b259 3942->3944 3946 307b1e5-307b204 3943->3946 3947 307b219-307b232 3943->3947 3944->3936 3949 307b25f-307b278 3944->3949 3946->3934 3946->3942 3947->3944 3956 307b234-307b23a 3947->3956 3968 307b27b call 307b500 3949->3968 3969 307b27b call 307b590 3949->3969 3970 307b27b call 307b5c0 3949->3970 3971 307b27b call 307b4f0 3949->3971 3950->3946 3951 307b281-307b2aa 3959 307b2ac-307b2b2 3951->3959 3960 307b2fb-307b314 3951->3960 3956->3934 3958 307b240-307b24a 3956->3958 3958->3944 3959->3934 3961 307b2b8-307b2f5 3959->3961 3960->3934 3962 307b31a-307b345 3960->3962 3961->3960 3962->3934 3966 307b34b-307b352 3962->3966 3968->3951 3969->3951 3970->3951 3971->3951
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 43=.
                                  • API String ID: 0-3458117202
                                  • Opcode ID: d3be164218c9db1a108d355516f0cf210ac08ecce4c4a42d8ec8b2cc79f5920b
                                  • Instruction ID: f4547615f7f3666240c428b56775c39e5a335d9cc945604bb5f84f1d2dbfe9f4
                                  • Opcode Fuzzy Hash: d3be164218c9db1a108d355516f0cf210ac08ecce4c4a42d8ec8b2cc79f5920b
                                  • Instruction Fuzzy Hash: 32519136E012298F8B58DFADC45449EF7F6AF88250B5A81AADD15FB360DB358C41CBD0
                                  Function 0307B500 Relevance: .4, Instructions: 442COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3972 307b500-307b50a 3973 307b50c-307b531 call 307a028 3972->3973 3977 307b533-307b539 3973->3977 3978 307b55f-307b565 3973->3978 3977->3973 3979 307b53b-307b53d 3977->3979 3978->3979 3980 307b567-307b5ce 3978->3980 3981 307b557-307b55e 3979->3981 3982 307b53f-307b545 3979->3982 3989 307b5d3-307b5e2 3980->3989 3983 307b547 3982->3983 3984 307b549-307b555 3982->3984 3983->3981 3984->3981 3991 307b69a-307b6bd 3989->3991 3992 307b5e8-307b5ee 3989->3992 3991->3989 4000 307b6c3-307b6d2 3991->4000 3993 307b607-307b61c 3992->3993 3994 307b5f0-307b5ff 3992->3994 3996 307b63f-307b653 3993->3996 4001 307b61e-307b624 3993->4001 3995 307b601 3994->3995 3994->3996 3995->3993 3996->3993 3999 307b655-307b665 3996->3999 4019 307b667-307b670 3999->4019 4020 307b688 3999->4020 4002 307b6d4 4000->4002 4003 307b6db-307b6e6 4000->4003 4001->3989 4004 307b626-307b639 4001->4004 4002->4003 4007 307b8a5-307b8c9 4002->4007 4008 307b804-307b823 call 3079988 4002->4008 4009 307b880-307b8a0 4002->4009 4010 307b7ae-307b7b4 4002->4010 4011 307b8ce-307b8f2 4002->4011 4012 307b72d-307b74d 4002->4012 4013 307b789-307b7a9 4002->4013 4014 307b828-307b830 4002->4014 4015 307b752-307b75e 4002->4015 4016 307b6f1-307b702 4002->4016 4017 307b7df-307b7ff 4002->4017 4018 307b85b-307b87b 4002->4018 4003->4004 4005 307b6ec-307b8fd 4003->4005 4004->3996 4005->3994 4032 307b903-307b91b 4005->4032 4057 307badf-307bae6 4007->4057 4008->4057 4009->4057 4010->4000 4023 307b7ba-307b7da 4010->4023 4011->4057 4012->4057 4013->4057 4014->3989 4022 307b836-307b842 4014->4022 4015->3996 4021 307b764-307b784 4015->4021 4016->3989 4025 307b708-307b728 4016->4025 4017->4057 4018->4057 4027 307b677-307b684 4019->4027 4028 307b672-307b675 4019->4028 4030 307b68b 4020->4030 4021->4057 4058 307b84a-307b856 4022->4058 4023->4057 4025->4057 4039 307b686 4027->4039 4028->4039 4047 307b693-307b695 4030->4047 4059 307b91d-307b935 4032->4059 4060 307b998-307b99e 4032->4060 4039->4030 4047->4057 4058->4057 4067 307b937-307b953 4059->4067 4068 307b95d-307b966 4059->4068 4060->3994 4070 307b9a4-307b9b6 4060->4070 4067->3989 4076 307b959-307b95b 4067->4076 4077 307b975-307b978 4068->4077 4078 307b968-307b96b 4068->4078 4083 307ba20-307ba32 4070->4083 4084 307b9b8-307b9c2 4070->4084 4081 307b97b-307b993 4076->4081 4077->4081 4078->4077 4081->4057 4094 307ba34-307ba3b 4083->4094 4095 307ba5f-307ba79 4083->4095 4086 307b9c4-307b9cf 4084->4086 4087 307b9d9-307b9df 4084->4087 4086->3989 4090 307b9d5-307b9d7 4086->4090 4087->4004 4088 307b9e5-307b9ee 4087->4088 4092 307b9f0-307b9f3 4088->4092 4093 307b9fd-307ba00 4088->4093 4091 307ba03-307ba1b 4090->4091 4091->4057 4092->4093 4093->4091 4094->3994 4097 307ba41-307ba5a 4094->4097 4101 307bac7-307badd call 3078d80 4095->4101 4102 307ba7b-307ba90 4095->4102 4097->4057 4101->4057 4104 307ba92-307ba97 4102->4104 4105 307ba99-307baa1 4102->4105 4108 307baa3-307bac5 4104->4108 4105->4108 4108->4057
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5158241c0483ac4951dc5ea72f2ccb4e652c91cdfed1a278b591c60d2fb29377
                                  • Instruction ID: 982376fc3f51699f962c0a13cb0f7ceaebad3049f77fb19b34293f2c3257de5e
                                  • Opcode Fuzzy Hash: 5158241c0483ac4951dc5ea72f2ccb4e652c91cdfed1a278b591c60d2fb29377
                                  • Instruction Fuzzy Hash: 4BE1F835F051259FCB58EA6C885867FB6E7BBC8250B0A497DD90AEB398DE308C0587D4
                                  Function 0307E6F0 Relevance: .3, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a6a2dfa14d7f4a8ae877f0d1d0c5396e5020d3726038c6ff95e6479b5661933
                                  • Instruction ID: 5d58f97d97ea9663e3eda8f06bf81eac6372aa73e820a93f33fa2367b6713341
                                  • Opcode Fuzzy Hash: 2a6a2dfa14d7f4a8ae877f0d1d0c5396e5020d3726038c6ff95e6479b5661933
                                  • Instruction Fuzzy Hash: 29B13835F017098FDB14DFA9C89499DBBF2BF88300B6581A9E509EB365DB70AC45CB44
                                  Function 03078DD8 Relevance: .2, Instructions: 213COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28912a10003d7dd5d30a521f7d71fcaa7d80ec3595285e157806b231e8c609ba
                                  • Instruction ID: ebf68160a47d06816cec25175dfa8b0c833693116bbd5ba1bf7c8576de947c61
                                  • Opcode Fuzzy Hash: 28912a10003d7dd5d30a521f7d71fcaa7d80ec3595285e157806b231e8c609ba
                                  • Instruction Fuzzy Hash: BB611473F116254BDB54CEADCC8469AB7E7AFC821470E81AAD849FB351EA349C05CBD0
                                  Function 03078DA0 Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6429001048f6700cf2246c0f07c3381796e32ae2cc01e82be5c39cc0ca6217d4
                                  • Instruction ID: 1eb18f84a2fb9c8a7b39809c09bcb8816609dc16b39884624ff4b3d68c8a6947
                                  • Opcode Fuzzy Hash: 6429001048f6700cf2246c0f07c3381796e32ae2cc01e82be5c39cc0ca6217d4
                                  • Instruction Fuzzy Hash: 6F51F2B3F105394BDB54CE6DCC8469AB7E3ABD8214B0E816AD809FB351E6349D058BC0
                                  Function 03078DC0 Relevance: .2, Instructions: 183COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a36a04d4244f487abd0e6854a898fa70d98eeec863e952a6d10f5da58d841bd5
                                  • Instruction ID: 5c296b7885825832574bb2854bf6396667844e3adcd0e2a2bb3ba45b70a9f4c5
                                  • Opcode Fuzzy Hash: a36a04d4244f487abd0e6854a898fa70d98eeec863e952a6d10f5da58d841bd5
                                  • Instruction Fuzzy Hash: 7E511473F105394BDB18CE6DCC8469AB7E7ABD8214B0E81AAD809FB351E6349C05CBD0
                                  Function 0307E6DF Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c17a90ab1512d4fa8292c4be68a31fc02537f1ad375ef0597f9a10166cbfb8fb
                                  • Instruction ID: 88693e6a3743849812c81856c5687d0f5d47efe22f9997c1f08c271e43b36fd5
                                  • Opcode Fuzzy Hash: c17a90ab1512d4fa8292c4be68a31fc02537f1ad375ef0597f9a10166cbfb8fb
                                  • Instruction Fuzzy Hash: 33618B35F023098BDB14DFA9C8C469DBBF2BF98300F6581A9E509AB355EB70AC45CB44
                                  Function 03078E10 Relevance: .2, Instructions: 181COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b06ac01e9a3a540e51c69b4f92fd159a435ea18f651cc1e33886bb2febfd2982
                                  • Instruction ID: 5b32928559247930268835715c9287c9ab7d7328b514a002e4ee9ca7e71ba3d4
                                  • Opcode Fuzzy Hash: b06ac01e9a3a540e51c69b4f92fd159a435ea18f651cc1e33886bb2febfd2982
                                  • Instruction Fuzzy Hash: 9651F373F106394BDB54CE6DCC8469AB7E36BD8214B0E816AD809FB355E6349D05CBD0
                                  Function 03078E40 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2dbc931eb4dd3a21e63b6d9610da6bed7671fc0599270241e2424fbe71d4b4dd
                                  • Instruction ID: 64ca86f454a962bf908ef2290e2b66f531a75853d46d0a35de990bd0406fa887
                                  • Opcode Fuzzy Hash: 2dbc931eb4dd3a21e63b6d9610da6bed7671fc0599270241e2424fbe71d4b4dd
                                  • Instruction Fuzzy Hash: 2251F173F105394B9B58CE6ECC8459EB7E76BD821470E816AD80AFB354EA349D05CBD0
                                  Function 6D16AC38 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3288 6d16ac38-6d16ac4b call 6d16b490 3291 6d16ac51-6d16ac73 call 6d16b080 3288->3291 3292 6d16ac4d-6d16ac4f 3288->3292 3296 6d16ac75-6d16acb8 call 6d16b14b call 6d16b007 call 6d16b463 call 6d16accd call 6d16b2ec call 6d16acda 3291->3296 3297 6d16ace0-6d16acf9 call 6d16b31a call 6d16b490 3291->3297 3293 6d16acba-6d16acc9 3292->3293 3296->3293 3308 6d16ad0a-6d16ad11 3297->3308 3309 6d16acfb-6d16ad01 3297->3309 3312 6d16ad13-6d16ad16 3308->3312 3313 6d16ad1d-6d16ad31 dllmain_raw 3308->3313 3309->3308 3311 6d16ad03-6d16ad05 3309->3311 3315 6d16ade3-6d16adf2 3311->3315 3312->3313 3316 6d16ad18-6d16ad1b 3312->3316 3318 6d16ad37-6d16ad48 dllmain_crt_dispatch 3313->3318 3319 6d16adda-6d16ade1 3313->3319 3320 6d16ad4e-6d16ad60 call 6d16a4e0 3316->3320 3318->3319 3318->3320 3319->3315 3327 6d16ad62-6d16ad64 3320->3327 3328 6d16ad89-6d16ad8b 3320->3328 3327->3328 3329 6d16ad66-6d16ad84 call 6d16a4e0 call 6d16ac38 dllmain_raw 3327->3329 3330 6d16ad92-6d16ada3 dllmain_crt_dispatch 3328->3330 3331 6d16ad8d-6d16ad90 3328->3331 3329->3328 3330->3319 3333 6d16ada5-6d16add7 dllmain_raw 3330->3333 3331->3319 3331->3330 3333->3319
                                  APIs
                                  • __RTC_Initialize.LIBCMT ref: 6D16AC7F
                                  • ___scrt_uninitialize_crt.LIBCMT ref: 6D16AC99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize___scrt_uninitialize_crt
                                  • String ID:
                                  • API String ID: 2442719207-0
                                  • Opcode ID: 0814b5fbf1473cf2cf5fb1acdc792e3a3a3be9116c24439e3021c078c07da648
                                  • Instruction ID: 0320bae63017712d0951a5bfbb70c810b8e495cf307bee90959bbf1a5205dbb4
                                  • Opcode Fuzzy Hash: 0814b5fbf1473cf2cf5fb1acdc792e3a3a3be9116c24439e3021c078c07da648
                                  • Instruction Fuzzy Hash: 1E41E572D082B9ABCB219F58C940FAE7BB8FB8175AF024015F92557258D7F089219BF0
                                  Function 6D16ACE8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3338 6d16ace8-6d16acf9 call 6d16b490 3341 6d16ad0a-6d16ad11 3338->3341 3342 6d16acfb-6d16ad01 3338->3342 3344 6d16ad13-6d16ad16 3341->3344 3345 6d16ad1d-6d16ad31 dllmain_raw 3341->3345 3342->3341 3343 6d16ad03-6d16ad05 3342->3343 3346 6d16ade3-6d16adf2 3343->3346 3344->3345 3347 6d16ad18-6d16ad1b 3344->3347 3348 6d16ad37-6d16ad48 dllmain_crt_dispatch 3345->3348 3349 6d16adda-6d16ade1 3345->3349 3350 6d16ad4e-6d16ad60 call 6d16a4e0 3347->3350 3348->3349 3348->3350 3349->3346 3353 6d16ad62-6d16ad64 3350->3353 3354 6d16ad89-6d16ad8b 3350->3354 3353->3354 3355 6d16ad66-6d16ad84 call 6d16a4e0 call 6d16ac38 dllmain_raw 3353->3355 3356 6d16ad92-6d16ada3 dllmain_crt_dispatch 3354->3356 3357 6d16ad8d-6d16ad90 3354->3357 3355->3354 3356->3349 3359 6d16ada5-6d16add7 dllmain_raw 3356->3359 3357->3349 3357->3356 3359->3349
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                  • String ID:
                                  • API String ID: 3136044242-0
                                  • Opcode ID: 89b38139b6d9be913ee2f6bab5d9c6278a1e3d6d8496d5bf7be0d43093249218
                                  • Instruction ID: b5f4137ccf2c5ebc54e5611440d137c5e37386a6ecddb44ca2565adc265a5552
                                  • Opcode Fuzzy Hash: 89b38139b6d9be913ee2f6bab5d9c6278a1e3d6d8496d5bf7be0d43093249218
                                  • Instruction Fuzzy Hash: DB21C472D042BAABCB219F14CD40EBF7A79FB91B96F024015F92557218C7B08D619BF0
                                  Function 6D16AB31 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3741 6d16ab31-6d16ab3f call 6d16b490 call 6d16b17b 3745 6d16ab44-6d16ab47 3741->3745 3746 6d16ac1e 3745->3746 3747 6d16ab4d-6d16ab65 call 6d16b080 3745->3747 3748 6d16ac20-6d16ac2f 3746->3748 3751 6d16ac30-6d16ac37 call 6d16b31a 3747->3751 3752 6d16ab6b-6d16ab7c call 6d16b0dd 3747->3752 3757 6d16ab7e-6d16aba0 call 6d16b437 call 6d16affb call 6d16b01f call 6d16daf7 3752->3757 3758 6d16abcb-6d16abd9 call 6d16ac14 3752->3758 3757->3758 3777 6d16aba2-6d16aba9 call 6d16b0b2 3757->3777 3758->3746 3763 6d16abdb-6d16abe5 call 6d16b314 3758->3763 3769 6d16ac06-6d16ac0f 3763->3769 3770 6d16abe7-6d16abf0 call 6d16b23b 3763->3770 3769->3748 3770->3769 3776 6d16abf2-6d16ac04 3770->3776 3776->3769 3777->3758 3781 6d16abab-6d16abc8 call 6d16dacc 3777->3781 3781->3758
                                  APIs
                                  • __RTC_Initialize.LIBCMT ref: 6D16AB7E
                                    • Part of subcall function 6D16AFFB: InitializeSListHead.KERNEL32(6D1C9420,6D16AB88,6D17C650,00000010,6D16AB19,?,?,?,6D16AD41,?,00000001,?,?,00000001,?,6D17C698), ref: 6D16B000
                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D16ABE8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                  • String ID:
                                  • API String ID: 3231365870-0
                                  • Opcode ID: 9e0c2dd5bd0499302965c1c6a09a3bb93e19007b0aa6c4923771886369e9b71c
                                  • Instruction ID: 72e50984b044e21c85a313ec880c26a392247261bd29fc366182b6d58284b453
                                  • Opcode Fuzzy Hash: 9e0c2dd5bd0499302965c1c6a09a3bb93e19007b0aa6c4923771886369e9b71c
                                  • Instruction Fuzzy Hash: 9421277264C3D29ADF10AFB4A614FBC3B719F1222EF21405AE651572CBDBE240A4C7B1
                                  Function 6D17115C Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3784 6d17115c-6d171161 3785 6d171163-6d17117b 3784->3785 3786 6d17117d-6d171181 3785->3786 3787 6d171189-6d171192 3785->3787 3786->3787 3788 6d171183-6d171187 3786->3788 3789 6d1711a4 3787->3789 3790 6d171194-6d171197 3787->3790 3792 6d1711fe-6d171202 3788->3792 3791 6d1711a6-6d1711b3 GetStdHandle 3789->3791 3793 6d1711a0-6d1711a2 3790->3793 3794 6d171199-6d17119e 3790->3794 3795 6d1711b5-6d1711b7 3791->3795 3796 6d1711e0-6d1711f2 3791->3796 3792->3785 3797 6d171208-6d17120b 3792->3797 3793->3791 3794->3791 3795->3796 3798 6d1711b9-6d1711c2 GetFileType 3795->3798 3796->3792 3799 6d1711f4-6d1711f7 3796->3799 3798->3796 3800 6d1711c4-6d1711cd 3798->3800 3799->3792 3801 6d1711d5-6d1711d8 3800->3801 3802 6d1711cf-6d1711d3 3800->3802 3801->3792 3803 6d1711da-6d1711de 3801->3803 3802->3792 3803->3792
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 6D1711A8
                                  • GetFileType.KERNELBASE(00000000), ref: 6D1711BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileHandleType
                                  • String ID:
                                  • API String ID: 3000768030-0
                                  • Opcode ID: 6cccba6bb31a9b79d591d45bb2046ad2a8509782529edf1cba0d5d677dbbd082
                                  • Instruction ID: 3add1204a5dcdbd556e42d99388f3779fd2ad4260958eee4fe35daf29a14458d
                                  • Opcode Fuzzy Hash: 6cccba6bb31a9b79d591d45bb2046ad2a8509782529edf1cba0d5d677dbbd082
                                  • Instruction Fuzzy Hash: F01103F26047424AD7304E3ECCA4722BEA8AB67270B25671AD4B69E5F9C3F0D1C6C240
                                  Function 056B0811 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3850 56b0811-56b0879 3851 56b0881-56b08ac FindCloseChangeNotification 3850->3851 3852 56b08ae-56b08b4 3851->3852 3853 56b08b5-56b08dd 3851->3853 3852->3853
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE ref: 056B089F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215428015.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_56b0000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: a5373d119fb7daf8f0f7c9eafb0214793c7f6976ffb1d7ae708a04726ad7808f
                                  • Instruction ID: 21f47a051e55800bc800765383cb1736e151d092ee69cab33444a8d9cdfa787d
                                  • Opcode Fuzzy Hash: a5373d119fb7daf8f0f7c9eafb0214793c7f6976ffb1d7ae708a04726ad7808f
                                  • Instruction Fuzzy Hash: 6C2147B1C00349CFDB10CF9AC845BDEBBF4AF88320F25846AD958A7681D7789945CFA1
                                  Function 0307F420 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3856 307f420-307f492 3858 307f494-307f497 3856->3858 3859 307f49a-307f4c5 LoadLibraryW 3856->3859 3858->3859 3860 307f4c7-307f4cd 3859->3860 3861 307f4ce-307f4eb 3859->3861 3860->3861
                                  APIs
                                  • LoadLibraryW.KERNELBASE(00000000), ref: 0307F4B8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: ddec771ce5ffcbf565efbc38ceeabbc8a39d479b61af30bb5b2630fe90365b32
                                  • Instruction ID: 2bff5b1e1993d26269a386336e3890a4d82c863a67c0b1d8fa9d73ce63477f63
                                  • Opcode Fuzzy Hash: ddec771ce5ffcbf565efbc38ceeabbc8a39d479b61af30bb5b2630fe90365b32
                                  • Instruction Fuzzy Hash: 942198B2D043499FCB00CFA9D844A9EFBF4FF48310F14815AD808AB641C3786904CFA5
                                  Function 0307F448 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3864 307f448-307f492 3866 307f494-307f497 3864->3866 3867 307f49a-307f4c5 LoadLibraryW 3864->3867 3866->3867 3868 307f4c7-307f4cd 3867->3868 3869 307f4ce-307f4eb 3867->3869 3868->3869
                                  APIs
                                  • LoadLibraryW.KERNELBASE(00000000), ref: 0307F4B8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: c6d8b00185f74a8fa91698d8bb79e902473fa6f44b6869ad8cf2eb24fbefd57c
                                  • Instruction ID: 3f463c438093db8bacbbe528fbd5acbfda785ca2e6d21d33509d7abdf0c10649
                                  • Opcode Fuzzy Hash: c6d8b00185f74a8fa91698d8bb79e902473fa6f44b6869ad8cf2eb24fbefd57c
                                  • Instruction Fuzzy Hash: 521112B1D0465A9BCB10CFAAD944A9EFBF8EB48720F14815AD818A7740D778A904CFA5
                                  Function 056B0840 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3872 56b0840-56b08ac FindCloseChangeNotification 3874 56b08ae-56b08b4 3872->3874 3875 56b08b5-56b08dd 3872->3875 3874->3875
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE ref: 056B089F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215428015.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_56b0000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 235404d94de0d4435ec3b9de603dc7571f4129b0ca21c07300ba43ab48ea0efe
                                  • Instruction ID: ec9a3de32e42db503aa561bfaaf7ec22a43f3b72d001996e8f2deebde96f6a3c
                                  • Opcode Fuzzy Hash: 235404d94de0d4435ec3b9de603dc7571f4129b0ca21c07300ba43ab48ea0efe
                                  • Instruction Fuzzy Hash: EF1113B1800349CFDB10DF9AC545BDEBBF4AF88320F248469D558A7240D778A944CBA5
                                  Function 6D16F5A7 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3878 6d16f5a7-6d16f5b2 3879 6d16f5b4-6d16f5be 3878->3879 3880 6d16f5c0-6d16f5c6 3878->3880 3879->3880 3881 6d16f5f4-6d16f5ff call 6d16f594 3879->3881 3882 6d16f5df-6d16f5f0 RtlAllocateHeap 3880->3882 3883 6d16f5c8-6d16f5c9 3880->3883 3887 6d16f601-6d16f603 3881->3887 3884 6d16f5f2 3882->3884 3885 6d16f5cb-6d16f5d2 call 6d1721b8 3882->3885 3883->3882 3884->3887 3885->3881 3891 6d16f5d4-6d16f5dd call 6d171340 3885->3891 3891->3881 3891->3882
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,6D16F055,00000001,00000364,00000000,FFFFFFFF,000000FF,?,6D16E5D1,00000000,00000000), ref: 6D16F5E8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 4cb6bbcfa6864bde2cb0137ea93d879c0c321af2c86ea68b868a228e0bcc2248
                                  • Instruction ID: 46ebaf319ba639bfd23c0d1815fe739c53f50089cbf7ed43a13e7177096c4f5e
                                  • Opcode Fuzzy Hash: 4cb6bbcfa6864bde2cb0137ea93d879c0c321af2c86ea68b868a228e0bcc2248
                                  • Instruction Fuzzy Hash: 2CF0593260D1A666EB211E2A9C00B6B3798BF42770B128056AD34D7098EFF0DC20CAF0

                                  Non-executed Functions

                                  Function 6D16B31A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D16B326
                                  • IsDebuggerPresent.KERNEL32 ref: 6D16B3F2
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D16B40B
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 6D16B415
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                  • String ID:
                                  • API String ID: 254469556-0
                                  • Opcode ID: f75e48dc5b788e5b374c2e19df9e9bc0c586111171d735610749e83368b63a70
                                  • Instruction ID: 7614b1bff402117f3b55dadfb6ad13819de7e2d2f2604346ef31f2ed384c9aff
                                  • Opcode Fuzzy Hash: f75e48dc5b788e5b374c2e19df9e9bc0c586111171d735610749e83368b63a70
                                  • Instruction Fuzzy Hash: AC312775D05229DBDF20DFA0D949BCDBBB8EF09300F1041AAE50DAB250EBB09A84CF54
                                  Function 6D16F2B7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D16F3AF
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D16F3B9
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D16F3C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: de8eeea29b8b2ff2d098a0000bd3176ac53d50de1e12721cbcdc21bb9e56c83b
                                  • Instruction ID: 5f40706839bf6892ee12dde3bf530d9510d2a6cea5c6af9ceee759bfbfccb1db
                                  • Opcode Fuzzy Hash: de8eeea29b8b2ff2d098a0000bd3176ac53d50de1e12721cbcdc21bb9e56c83b
                                  • Instruction Fuzzy Hash: 2431E47590122D9BCB21DF64D988B9DBBB8FF08314F5041EAE51CA7290E7B09B91CF54
                                  Function 6D175F05 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D175F00,?,?,00000008,?,?,6D175B03,00000000), ref: 6D176132
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: d474f3e33ed0e5089f137682dbf0488e3a14497e5f52f43d85c94c5d5be8d7cc
                                  • Instruction ID: 09e7ba4d196ff987178ba564957fc20ad3813a8e9cfb15d7b7a0466f626ef6cd
                                  • Opcode Fuzzy Hash: d474f3e33ed0e5089f137682dbf0488e3a14497e5f52f43d85c94c5d5be8d7cc
                                  • Instruction Fuzzy Hash: A0B17D71220609DFD765CF28C48AB647BE0FF45364F258658E8A9CF2B6C375E991CB80
                                  Function 6D16A4E0 Relevance: 1.7, Strings: 1, Instructions: 409COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !,G
                                  • API String ID: 0-200490858
                                  • Opcode ID: 7eddc9f53d7d9b44d13fc5f93ad05c3cd70049d102a8a33a2947526d1b1fa5fe
                                  • Instruction ID: 2523dfe7bd2e32d7cb7f6bcb4288f383e83582bc94caa0e198c822dbec5b7874
                                  • Opcode Fuzzy Hash: 7eddc9f53d7d9b44d13fc5f93ad05c3cd70049d102a8a33a2947526d1b1fa5fe
                                  • Instruction Fuzzy Hash: 8FE12175A942A68FCF05CEACD1D0BDD7FF1EB46310F25D51AE811EB348C6BA88558B20
                                  Function 6D16B4D8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D16B4EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-0
                                  • Opcode ID: 7bf2550662262bb31a77eabc6eed6c0e36c9500eae714126d32094f05a332e98
                                  • Instruction ID: bbc222dc6d8b8b324d76778cc8c162c1680277a2e506bffa7780ff100951137a
                                  • Opcode Fuzzy Hash: 7bf2550662262bb31a77eabc6eed6c0e36c9500eae714126d32094f05a332e98
                                  • Instruction Fuzzy Hash: 4451AFB1A10246CFEF14CF55D6917AEBBF4FB59309F10842AE501EB245D3B8D910CB60
                                  Function 6D16F968 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a5de14271bd301af5e5baa616fe17fa24ea59238948d19a14ae8b4bc819d723
                                  • Instruction ID: dcd80110ff49b5a671aca29e43b5cdba24092192714cc82715bec764a8182b9f
                                  • Opcode Fuzzy Hash: 5a5de14271bd301af5e5baa616fe17fa24ea59238948d19a14ae8b4bc819d723
                                  • Instruction Fuzzy Hash: A641A3B5808259AFDB10DF69CC88AAABBB8EF45304F1442D9E41DD3204EB749E54CF20
                                  Function 0307A690 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @5L
                                  • API String ID: 0-2129609996
                                  • Opcode ID: 414c3ac7e76a27f212660a920e61a1776c66b3b2036965ec1f46246526e4e901
                                  • Instruction ID: 257f539df805e925188a446cc731c71658400110c08ade2c5999306e18fa9651
                                  • Opcode Fuzzy Hash: 414c3ac7e76a27f212660a920e61a1776c66b3b2036965ec1f46246526e4e901
                                  • Instruction Fuzzy Hash: F2D1B279F101258F8758EB6CC55893EB7F6BF8D61031644ACEA0AEB365DE20EC01CB95
                                  Function 0307AD59 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 65
                                  • API String ID: 0-2986860945
                                  • Opcode ID: 73173d5824bb9d9d77289d97a6c8e58662198e801cf56c5aee03491f1cbe3a36
                                  • Instruction ID: 30349fdb7ae02500175155ed3d1070447e69a5af6fc66e0b5cd13ae9f6384df1
                                  • Opcode Fuzzy Hash: 73173d5824bb9d9d77289d97a6c8e58662198e801cf56c5aee03491f1cbe3a36
                                  • Instruction Fuzzy Hash: 59912A73F216398BDB54DEADC84069DF6F6AB88250B1D816AEC15FB341DA749C42CBC0
                                  Function 0307B358 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ?+
                                  • API String ID: 0-1086079126
                                  • Opcode ID: 0f1f263b7e61487d4ac3357a592ed0f918ce072955baffc79ad25e4780774c43
                                  • Instruction ID: 6a7103364b58f122d0f6eab5efc52702c83ea600f675effda8b2a47378ca8944
                                  • Opcode Fuzzy Hash: 0f1f263b7e61487d4ac3357a592ed0f918ce072955baffc79ad25e4780774c43
                                  • Instruction Fuzzy Hash: F241AF37F505298BDB14DEADC8905EEF7F6ABC8220B1A81AAD809F7350D6749C05CBD0
                                  Function 0307B368 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ?+
                                  • API String ID: 0-1086079126
                                  • Opcode ID: b58bd156e109d16801243bce5d1e05d2f4d50be03c6b0dc33d69eb2fa250299f
                                  • Instruction ID: afb0eca6ea410de8b3cc6891f83315a42015508cd12e17060edde8e1bf6ff5a9
                                  • Opcode Fuzzy Hash: b58bd156e109d16801243bce5d1e05d2f4d50be03c6b0dc33d69eb2fa250299f
                                  • Instruction Fuzzy Hash: 91419137F505394B8B14DEAEC8905EEF7F6ABC822071A81AAE809F7350D6709C05CBD4
                                  Function 6D17108B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: HeapProcess
                                  • String ID:
                                  • API String ID: 54951025-0
                                  • Opcode ID: 224f83d2963305e1ea88958f88785e442e809bed5ba15b026c3735a19cea4381
                                  • Instruction ID: 570ef62048ee61f832db5c141f2c6d98b048444ca50b085f5611acbfb92a4f99
                                  • Opcode Fuzzy Hash: 224f83d2963305e1ea88958f88785e442e809bed5ba15b026c3735a19cea4381
                                  • Instruction Fuzzy Hash: 50A002707051158B5F508E35661530979F9954769570544695405C5550E76444509F51
                                  Function 6D183B17 Relevance: .8, Instructions: 814COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmp, Offset: 6D17E000, based on PE: true
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc6893331270d37c6b9fc2f0513e87e2389a840f475a944f340caf066a7d19de
                                  • Instruction ID: 7827e078f3765df605f9ea98be80ec3192d6b60cfa3559f215d9bfd38e56c958
                                  • Opcode Fuzzy Hash: fc6893331270d37c6b9fc2f0513e87e2389a840f475a944f340caf066a7d19de
                                  • Instruction Fuzzy Hash: 6062446144E3C29FD7138B749C746D27FB4AE5721471E09DBD8C0CF0A3E2291A6ADB62
                                  Function 03070D89 Relevance: .4, Instructions: 413COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d75cd8845f6580dfa717e36d78c6933546d8945ece61558de831f8f09e0a46a7
                                  • Instruction ID: fdb0b65e8397e32f01fc66e9a34a5767606f1d993d98525c05e3cf0551ffa812
                                  • Opcode Fuzzy Hash: d75cd8845f6580dfa717e36d78c6933546d8945ece61558de831f8f09e0a46a7
                                  • Instruction Fuzzy Hash: 5AF1AE75F423198FEBA8CE69CCC8759B7F2AB88200F5881B9E509DB351DA709D85CF04
                                  Function 6D161010 Relevance: .2, Instructions: 219COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c3d4dafecee04f5ea5cb31740e5241657d87edf24e61dcf81d935262c0ab508
                                  • Instruction ID: afdd9dbf6d55ecfb6980561256abbebcfcf28f271363ffe90630bd9eb2eb7027
                                  • Opcode Fuzzy Hash: 8c3d4dafecee04f5ea5cb31740e5241657d87edf24e61dcf81d935262c0ab508
                                  • Instruction Fuzzy Hash: 02711A36A441868FCF05CEBCC5913DEBBF2FB46360F15921AD821E7398C6BA8955CB50
                                  Function 030794D8 Relevance: .2, Instructions: 203COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 043b82a8e785e351c55cda5353acfed933ff912938f2abae3f1ac5608b3ae5db
                                  • Instruction ID: acdd77205a3716fdced9581d077fa5625f750825241b3eb68793fc028920157b
                                  • Opcode Fuzzy Hash: 043b82a8e785e351c55cda5353acfed933ff912938f2abae3f1ac5608b3ae5db
                                  • Instruction Fuzzy Hash: A071D532F016298BCB24DFADD88459DF7F2BB98310B56866AEC19F7350D730AC458B84
                                  Function 6D162B80 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 809109a1fec70db6273dbdef6b72284f75675674f2d5f6bee1b72b86001f9da8
                                  • Instruction ID: 6ceb86e88fedfc1e75ed55843a49795418c195326b529bed5d43afe69dd29404
                                  • Opcode Fuzzy Hash: 809109a1fec70db6273dbdef6b72284f75675674f2d5f6bee1b72b86001f9da8
                                  • Instruction Fuzzy Hash: EB41D172E1454A8FCB04CF7CC9957EE7BF2AB46324F108215E825E7798C6799A058B60
                                  Function 0307F7A3 Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39a0edba4591014caf1a43c56e8c27a7727cf90389a20ab79524af3e2fc71b0b
                                  • Instruction ID: 827743a4840827b1e71fd578b64758ec8e772ec9fd438d9046b3fa3862eb9ebb
                                  • Opcode Fuzzy Hash: 39a0edba4591014caf1a43c56e8c27a7727cf90389a20ab79524af3e2fc71b0b
                                  • Instruction Fuzzy Hash: 20518E72F105298F9B54CEADC8855DEF7F2AB88220B1A816AE819FB354D6349C41CBD4
                                  Function 030797A8 Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a44af044a8623dfffc5e570061def08fab51df795fb1ec66084b70e866b2a88
                                  • Instruction ID: d4d29e55ae658e8b944a28e6c9801a8ab908500a163dd061234fc1ef0a0a1110
                                  • Opcode Fuzzy Hash: 7a44af044a8623dfffc5e570061def08fab51df795fb1ec66084b70e866b2a88
                                  • Instruction Fuzzy Hash: EE41D733F106294B9B18CEADCDC05DAF6E2AB8822074A853ADD19F7740EA349D55CBD4
                                  Function 0307FC22 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2214819202.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3070000_fOsCO13KRs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e15a2efb7b6dcbc0d2df0a62cfbe1d0ff4cd3ba5d7f6779ac21350f72d20c9e
                                  • Instruction ID: 1cff11bd46910008283c6951f8bf45ebc61a1c70341159b07e118c51f2fd2342
                                  • Opcode Fuzzy Hash: 5e15a2efb7b6dcbc0d2df0a62cfbe1d0ff4cd3ba5d7f6779ac21350f72d20c9e
                                  • Instruction Fuzzy Hash: E131C577F10539479758CA6ED8505B6F6A3ABE035070B826EDC06FB785DA708C05CBD0
                                  Function 6D16CD4A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 6D16CE69
                                  • ___TypeMatch.LIBVCRUNTIME ref: 6D16CF77
                                  • _UnwindNestedFrames.LIBCMT ref: 6D16D0C9
                                  • CallUnexpected.LIBVCRUNTIME ref: 6D16D0E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2751267872-393685449
                                  • Opcode ID: 1de2e766b8da9d21b2be733dd661527421414b3f8195f2bbc0ce3790b1dcfd6c
                                  • Instruction ID: 869b3a4c416d2ce7f83b3faedd218706a522cff79b84f5c8b99ea5428c65d04f
                                  • Opcode Fuzzy Hash: 1de2e766b8da9d21b2be733dd661527421414b3f8195f2bbc0ce3790b1dcfd6c
                                  • Instruction Fuzzy Hash: D5B17D7180428ADFCF15CFA4D8409AEBBB6FF54314B128159E9106B219D7B1DA72CFB1
                                  Function 6D16BDF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 6D16BE27
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6D16BE2F
                                  • _ValidateLocalCookies.LIBCMT ref: 6D16BEB8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6D16BEE3
                                  • _ValidateLocalCookies.LIBCMT ref: 6D16BF38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 5fc69ab3e4f4ee8233a256628fb570cf54602538bf62a5aa4cbf74ccc42d70aa
                                  • Instruction ID: 56bc6945f2a13d2a51acadb84cf186edda03559c9e5f48f9a9e2e76313856330
                                  • Opcode Fuzzy Hash: 5fc69ab3e4f4ee8233a256628fb570cf54602538bf62a5aa4cbf74ccc42d70aa
                                  • Instruction Fuzzy Hash: F041F434A002899BCF00CF68C984AAEBFB1FF05318F148095FA245B359D7B19921CBA1
                                  Function 6D170CBA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(00000000,?,6D170DC9,00000000,6D16E5D1,00000000,00000000,00000001,?,6D170F42,00000022,FlsSetValue,6D178898,6D1788A0,00000000), ref: 6D170D7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 3664257935-537541572
                                  • Opcode ID: 485b71219da437953dc6c0b1339de806403c6a9b90c55d17806056e1d974881b
                                  • Instruction ID: bdaaea0f8504df53dd12cf68ebc166e3fde59cef9b5beb89e580bd21ef2590cf
                                  • Opcode Fuzzy Hash: 485b71219da437953dc6c0b1339de806403c6a9b90c55d17806056e1d974881b
                                  • Instruction Fuzzy Hash: 3421C936E0532197C7314E66DC44A9A3779EB43365F110255FD15A72A4D7F1F900C6E1
                                  Function 6D16C39C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000001,?,6D16BFD1,6D16B0F0,6D16AB09,?,6D16AD41,?,00000001,?,?,00000001,?,6D17C698,0000000C,6D16AE3A), ref: 6D16C3AA
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D16C3B8
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D16C3D1
                                  • SetLastError.KERNEL32(00000000,6D16AD41,?,00000001,?,?,00000001,?,6D17C698,0000000C,6D16AE3A,?,00000001,?), ref: 6D16C423
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 145fe23d7064b112562c0e3790557fd65a10d49318fb07b4f51a6f404856c951
                                  • Instruction ID: a475ced388f0d92b9ed18374e3eae3b4380c83fb13e8ed7991c29d599473bde0
                                  • Opcode Fuzzy Hash: 145fe23d7064b112562c0e3790557fd65a10d49318fb07b4f51a6f404856c951
                                  • Instruction Fuzzy Hash: 5101D83231D3A65FAF1059B57C8467A2EA6EB43B79721422AF610920D8EFD548219264
                                  Function 6D16FEEE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Strings
                                  • C:\Users\user\Desktop\fOsCO13KRs.exe, xrefs: 6D16FF0A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: C:\Users\user\Desktop\fOsCO13KRs.exe
                                  • API String ID: 0-1763130255
                                  • Opcode ID: 52af305b456f421139bea3b013a683abab827377d3c6a4cbd46951c1a9a8c130
                                  • Instruction ID: 99bbb6f05291e889d8602117338161b79004892bdf35e90a6d81ce35d9743be7
                                  • Opcode Fuzzy Hash: 52af305b456f421139bea3b013a683abab827377d3c6a4cbd46951c1a9a8c130
                                  • Instruction Fuzzy Hash: 5D215E3360C286AF9B119F75D85096A77A9FF063687018999EA38D7158E7F0EC308B70
                                  Function 6D16DEFE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3D70B5D4,00000000,?,00000000,6D176802,000000FF,?,6D16DE98,?,?,6D16DE6C,?), ref: 6D16DF33
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D16DF45
                                  • FreeLibrary.KERNEL32(00000000,?,00000000,6D176802,000000FF,?,6D16DE98,?,?,6D16DE6C,?), ref: 6D16DF67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: b1aab177f0af16df9f1b55281fa48ca82071bf3395040a00bfd62815576e7141
                                  • Instruction ID: 1dd0ecfaa19dca36a3df424f671b21c82a9836e78aff0b0fc7c3177adab3e7f6
                                  • Opcode Fuzzy Hash: b1aab177f0af16df9f1b55281fa48ca82071bf3395040a00bfd62815576e7141
                                  • Instruction Fuzzy Hash: F3016771914669EFDB119F90CC08BBE7BB9FB46710F100529E811A26A4D7B59901CA90
                                  Function 6D172975 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                  • __alloca_probe_16.LIBCMT ref: 6D1729FA
                                  • __alloca_probe_16.LIBCMT ref: 6D172AC3
                                  • __freea.LIBCMT ref: 6D172B2A
                                    • Part of subcall function 6D171B1A: HeapAlloc.KERNEL32(00000000,6D170467,6D171834,?,6D170467,00000220,?,?,6D171834), ref: 6D171B4C
                                  • __freea.LIBCMT ref: 6D172B3D
                                  • __freea.LIBCMT ref: 6D172B4A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                  • String ID:
                                  • API String ID: 1096550386-0
                                  • Opcode ID: f710b4719ca8232a497350206befb1421d042a3999257a12f46f398001f0f336
                                  • Instruction ID: 052eb00c72c49c87df697eb3828fb452f00ebb0dd2fe0e7a946427ec83b49fab
                                  • Opcode Fuzzy Hash: f710b4719ca8232a497350206befb1421d042a3999257a12f46f398001f0f336
                                  • Instruction Fuzzy Hash: A751A172608207AFEB318F65CC80EBB76A9EF95614B160128FD14D7278E7F1DC52D6A0
                                  Function 6D16C972 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D16C923,00000000,?,00000001,?,?,?,6D16CA12,00000001,FlsFree,6D177F70,FlsFree), ref: 6D16C97F
                                  • GetLastError.KERNEL32(?,6D16C923,00000000,?,00000001,?,?,?,6D16CA12,00000001,FlsFree,6D177F70,FlsFree,00000000,?,6D16C471), ref: 6D16C989
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D16C9B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID: api-ms-
                                  • API String ID: 3177248105-2084034818
                                  • Opcode ID: e4cc6276be085e3dcd554c405093716b2d603f91e6a4a24b7748a017477a8d7d
                                  • Instruction ID: 24a536937b7317c8c95507d6e245e5d027db07281a5ec9eef9f2460f6f921744
                                  • Opcode Fuzzy Hash: e4cc6276be085e3dcd554c405093716b2d603f91e6a4a24b7748a017477a8d7d
                                  • Instruction Fuzzy Hash: 2BE01A30A48245B7EF101EA1EC09B6A3E76EB12B51F514022FA0DA80E9E7E19520CAA5
                                  Function 6D173082 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleOutputCP.KERNEL32(3D70B5D4,00000000,00000000,?), ref: 6D1730E5
                                    • Part of subcall function 6D170ABC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D172B20,?,00000000,-00000008), ref: 6D170B1D
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D173337
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D17337D
                                  • GetLastError.KERNEL32 ref: 6D173420
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                  • String ID:
                                  • API String ID: 2112829910-0
                                  • Opcode ID: eb5cab5dc457bf7f52be0022b71e97c202b45a6b84c198389cda70c9194511e5
                                  • Instruction ID: e991f7a1bcfd368950692f4dd293cb966a903a56561acce6e8a8a2f766c7e6a1
                                  • Opcode Fuzzy Hash: eb5cab5dc457bf7f52be0022b71e97c202b45a6b84c198389cda70c9194511e5
                                  • Instruction Fuzzy Hash: BCD18CB5E042499FCF25CFE8D880AADBBB5FF09304F14412AE526EB365D770A942CB50
                                  Function 6D16CAF3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 7ef3cd53c61b039178a0ddbf2c2adf2ae61b392ad5bf2fb78db90b1379f19890
                                  • Instruction ID: ccb65e5ddc00bab5cb52667fe879455d18d13a344368a9fd8f3007f7a8a748da
                                  • Opcode Fuzzy Hash: 7ef3cd53c61b039178a0ddbf2c2adf2ae61b392ad5bf2fb78db90b1379f19890
                                  • Instruction Fuzzy Hash: 615113B16092839FDF158F14E440B7A7BA7FF94310F118529D91647298E7B5D8B0C7B4
                                  Function 6D16F708 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 6D170ABC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D172B20,?,00000000,-00000008), ref: 6D170B1D
                                  • GetLastError.KERNEL32 ref: 6D16F76C
                                  • __dosmaperr.LIBCMT ref: 6D16F773
                                  • GetLastError.KERNEL32(?,?,?,?), ref: 6D16F7AD
                                  • __dosmaperr.LIBCMT ref: 6D16F7B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 1913693674-0
                                  • Opcode ID: 8cdb44eec9fe88321282d0aab0d5c2aebcf7d4ab0f4e6f43334152f8d3be3131
                                  • Instruction ID: 2bf85fcd3a207befd014b7e60231184518b07573a5a4c85ef812e68ee196c367
                                  • Opcode Fuzzy Hash: 8cdb44eec9fe88321282d0aab0d5c2aebcf7d4ab0f4e6f43334152f8d3be3131
                                  • Instruction Fuzzy Hash: AE21D431608286AFDB119F75C880A6BB7BDFF05368701851AF93887108E7F0EC208BB0
                                  Function 6D170B5F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 6D170B67
                                    • Part of subcall function 6D170ABC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D172B20,?,00000000,-00000008), ref: 6D170B1D
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D170B9F
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D170BBF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                  • String ID:
                                  • API String ID: 158306478-0
                                  • Opcode ID: 67d5e2b605acbb0c4bf05e3061846770de44e3bae59e67745c08117c2f8f918a
                                  • Instruction ID: 840c068ee4724efc7e34ae1f829d73b9a69a3924fcdba04ed770d959a383dcd4
                                  • Opcode Fuzzy Hash: 67d5e2b605acbb0c4bf05e3061846770de44e3bae59e67745c08117c2f8f918a
                                  • Instruction Fuzzy Hash: 7411E5F5A0D7167EA72216765C88DAF697CDE6729C7110419F601D3124EBF2DE00C270
                                  Function 6D1749F6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D1741B6,00000000,00000001,00000000,?,?,6D173474,?,00000000,00000000), ref: 6D174A0D
                                  • GetLastError.KERNEL32(?,6D1741B6,00000000,00000001,00000000,?,?,6D173474,?,00000000,00000000,?,?,?,6D173A17,00000000), ref: 6D174A19
                                    • Part of subcall function 6D1749DF: CloseHandle.KERNEL32(FFFFFFFE,6D174A29,?,6D1741B6,00000000,00000001,00000000,?,?,6D173474,?,00000000,00000000,?,?), ref: 6D1749EF
                                  • ___initconout.LIBCMT ref: 6D174A29
                                    • Part of subcall function 6D1749A1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D1749D0,6D1741A3,?,?,6D173474,?,00000000,00000000,?), ref: 6D1749B4
                                  • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D1741B6,00000000,00000001,00000000,?,?,6D173474,?,00000000,00000000,?), ref: 6D174A3E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: c2d49c56bf163a744f49921de9d08eb8889c5446d561e99c20f0d891df075c36
                                  • Instruction ID: 91a938cf16e5bb47bf7af91aba012bf1021f8c12d20fd659045c84e4ae2353c0
                                  • Opcode Fuzzy Hash: c2d49c56bf163a744f49921de9d08eb8889c5446d561e99c20f0d891df075c36
                                  • Instruction Fuzzy Hash: 14F0F236904169BBCF221EE9EC09B8A3E76FB0B2A5F014011FA1996134C7B28820DB94
                                  Function 6D16D0EF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • EncodePointer.KERNEL32(00000000,?), ref: 6D16D114
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2215459386.000000006D161000.00000020.00000001.01000000.00000006.sdmp, Offset: 6D160000, based on PE: true
                                  • Associated: 00000000.00000002.2215444810.000000006D160000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215488470.000000006D177000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215507459.000000006D17E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000000.00000002.2215581402.000000006D1CA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6d160000_fOsCO13KRs.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID: MOC$RCC
                                  • API String ID: 2118026453-2084237596
                                  • Opcode ID: 9340a46893d8d0b9e668991f3296b732ce63f3e277c74350d8dfffa368f0a2d6
                                  • Instruction ID: 068720157d5a9f2adfc036630bc1c7144d52d22b591beea623c1fc244fe6688d
                                  • Opcode Fuzzy Hash: 9340a46893d8d0b9e668991f3296b732ce63f3e277c74350d8dfffa368f0a2d6
                                  • Instruction Fuzzy Hash: 0F417DB2900249AFCF01CF94CC80AEE7BB6FF88304F258159FA14A7218D3B5D961DB61

                                  Execution Graph

                                  Execution Coverage:15%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:3.4%
                                  Total number of Nodes:118
                                  Total number of Limit Nodes:6
                                  execution_graph 39682 67116a0 39683 67116ba 39682->39683 39688 67116f1 39683->39688 39693 6711ab0 39683->39693 39698 6711700 39683->39698 39684 67116d6 39692 67116f8 39688->39692 39689 6711ae6 39689->39684 39692->39689 39703 6718159 39692->39703 39712 6718168 39692->39712 39694 6711a7e 39693->39694 39695 6711ae6 39694->39695 39696 6718159 5 API calls 39694->39696 39697 6718168 5 API calls 39694->39697 39695->39684 39696->39694 39697->39694 39702 6711702 39698->39702 39699 6711ae6 39699->39684 39700 6718159 5 API calls 39700->39702 39701 6718168 5 API calls 39701->39702 39702->39699 39702->39700 39702->39701 39704 6718164 39703->39704 39721 6718208 39704->39721 39727 67181f8 39704->39727 39705 67181a1 39733 67183d0 39705->39733 39741 67183e0 39705->39741 39749 6718452 39705->39749 39706 67181d8 39706->39692 39713 671818f 39712->39713 39716 6718208 2 API calls 39713->39716 39717 67181f8 2 API calls 39713->39717 39714 67181a1 39718 67183e0 2 API calls 39714->39718 39719 67183d0 2 API calls 39714->39719 39720 6718452 2 API calls 39714->39720 39715 67181d8 39715->39692 39716->39714 39717->39714 39718->39715 39719->39715 39720->39715 39722 6718241 39721->39722 39757 6715904 39722->39757 39726 6718281 39726->39705 39728 67181fc 39727->39728 39729 6715904 OleInitialize 39728->39729 39730 671824a GetKeyboardLayout 39729->39730 39732 6718281 39730->39732 39732->39705 39734 67183d4 39733->39734 39765 67185b0 39734->39765 39769 67185a0 39734->39769 39735 67184c6 39737 67185b0 LdrInitializeThunk 39735->39737 39738 67185a0 LdrInitializeThunk 39735->39738 39736 671852e 39736->39706 39737->39736 39738->39736 39742 67183fc 39741->39742 39747 67185b0 LdrInitializeThunk 39742->39747 39748 67185a0 LdrInitializeThunk 39742->39748 39743 67184c6 39745 67185b0 LdrInitializeThunk 39743->39745 39746 67185a0 LdrInitializeThunk 39743->39746 39744 671852e 39744->39706 39745->39744 39746->39744 39747->39743 39748->39743 39750 6718465 39749->39750 39753 67185b0 LdrInitializeThunk 39750->39753 39754 67185a0 LdrInitializeThunk 39750->39754 39751 67184c6 39755 67185b0 LdrInitializeThunk 39751->39755 39756 67185a0 LdrInitializeThunk 39751->39756 39752 671852e 39752->39706 39753->39751 39754->39751 39755->39752 39756->39752 39758 671590f 39757->39758 39759 671824a GetKeyboardLayout 39758->39759 39761 6715914 39758->39761 39759->39726 39762 6718308 OleInitialize 39761->39762 39764 671836c 39762->39764 39764->39759 39766 67185d7 39765->39766 39767 671860f LdrInitializeThunk 39766->39767 39768 6718607 39766->39768 39767->39768 39768->39735 39770 67185a4 39769->39770 39771 6718607 39770->39771 39772 671860f LdrInitializeThunk 39770->39772 39771->39735 39772->39771 39679 302d300 39680 302d305 DuplicateHandle 39679->39680 39681 302d396 39680->39681 39773 3024668 39774 3024684 39773->39774 39775 3024696 39774->39775 39777 30247a0 39774->39777 39778 30247c5 39777->39778 39782 30248b0 39778->39782 39786 30248a1 39778->39786 39783 30248d7 39782->39783 39784 30249b4 39783->39784 39790 3024248 39783->39790 39788 30248b0 39786->39788 39787 30249b4 39787->39787 39788->39787 39789 3024248 CreateActCtxA 39788->39789 39789->39787 39791 3025940 CreateActCtxA 39790->39791 39793 3025a03 39791->39793 39794 302ad38 39795 302ad47 39794->39795 39797 302ae30 39794->39797 39798 302ae41 39797->39798 39799 302ae64 39797->39799 39798->39799 39805 302b0b8 39798->39805 39809 302b0c8 39798->39809 39799->39795 39800 302ae5c 39800->39799 39801 302b068 GetModuleHandleW 39800->39801 39802 302b095 39801->39802 39802->39795 39806 302b0c8 39805->39806 39807 302b101 39806->39807 39813 302a870 39806->39813 39807->39800 39810 302b0cd 39809->39810 39811 302a870 LoadLibraryExW 39810->39811 39812 302b101 39810->39812 39811->39812 39812->39800 39814 302b2a8 LoadLibraryExW 39813->39814 39816 302b321 39814->39816 39816->39807 39817 302d0b8 39818 302d0bd GetCurrentProcess 39817->39818 39820 302d150 GetCurrentThread 39818->39820 39822 302d149 39818->39822 39821 302d18d GetCurrentProcess 39820->39821 39823 302d186 39820->39823 39826 302d1c3 39821->39826 39822->39820 39823->39821 39824 302d1eb GetCurrentThreadId 39825 302d21c 39824->39825 39826->39824

                                  Executed Functions

                                  Function 067185B0 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 616 67185b0-67185d5 617 67185d7 616->617 618 67185dc-6718605 616->618 617->618 620 6718607-671860d 618->620 621 671860f-6718622 LdrInitializeThunk 618->621 622 671862a-6718634 620->622 623 6718627 621->623 624 6718636-671863c 622->624 625 671863f-6718665 622->625 623->622 624->625
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d1017c7f003365183737e8f2d469fd4da3422334e02efcdaa1af44a11745fbb4
                                  • Instruction ID: 82137c645240743154b6b220e6ffe19a4dc66d24cdd0873fb4fbeb3b8a1fc327
                                  • Opcode Fuzzy Hash: d1017c7f003365183737e8f2d469fd4da3422334e02efcdaa1af44a11745fbb4
                                  • Instruction Fuzzy Hash: 4721BD79E112189FDB08DFA9E484ADDBBB2EB89320F10916AE415BB360EB345841CF55
                                  Function 0672EA18 Relevance: .8, Instructions: 784COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 701de15e291ec21c1f3ead5d42309aeb794fdead9ccec68ee8f2253f392ee67d
                                  • Instruction ID: 7ef5962993c970e8d2410f21640c8ffa1245b3a474f1e81c1d79a9c7bce6d136
                                  • Opcode Fuzzy Hash: 701de15e291ec21c1f3ead5d42309aeb794fdead9ccec68ee8f2253f392ee67d
                                  • Instruction Fuzzy Hash: ED624975A002158FDB54DFA9D894AAEBBF2FF89310F148069E905DB361CB34EC46CB90
                                  Function 067139C0 Relevance: .2, Instructions: 202COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 670cbbfd7d62d2a656226ccb8687c218669429d3a25135a915409f0a69dfa84c
                                  • Instruction ID: 286f1bf4c11cb83026feefbb4895158fffe055fcf18f65678308f7ad29fb8f7e
                                  • Opcode Fuzzy Hash: 670cbbfd7d62d2a656226ccb8687c218669429d3a25135a915409f0a69dfa84c
                                  • Instruction Fuzzy Hash: CA61D274E00218DFDB44DFA9C480ADDBBB2BF89310F24816AD515BB364DB30A846CF54
                                  Function 0302D0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0302D136
                                  • GetCurrentThread.KERNEL32 ref: 0302D173
                                  • GetCurrentProcess.KERNEL32 ref: 0302D1B0
                                  • GetCurrentThreadId.KERNEL32 ref: 0302D209
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: dfc886464f9a3c8c95fcb4739d9c05261276758cd3dca77327bfbb5228d9bfd8
                                  • Instruction ID: f199a112f0e186c0522f1bbd810f8f0eb3e88f993b4c4dd726ba0a5f4323f5c5
                                  • Opcode Fuzzy Hash: dfc886464f9a3c8c95fcb4739d9c05261276758cd3dca77327bfbb5228d9bfd8
                                  • Instruction Fuzzy Hash: 155167B0901749DFEB44CFAAD548B9EBFF1EF88304F248469E119A73A0DB345944CB66
                                  Function 0302D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0302D136
                                  • GetCurrentThread.KERNEL32 ref: 0302D173
                                  • GetCurrentProcess.KERNEL32 ref: 0302D1B0
                                  • GetCurrentThreadId.KERNEL32 ref: 0302D209
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: bade32407c1cb7ab3b32794340f141c89386ab30e5840886f63b4cbefb4de9ba
                                  • Instruction ID: 9ccef8f1a6b8fbfc4083fc6bd56679c45b4a78d77c38eae2fd20b5bd53947abd
                                  • Opcode Fuzzy Hash: bade32407c1cb7ab3b32794340f141c89386ab30e5840886f63b4cbefb4de9ba
                                  • Instruction Fuzzy Hash: 145165B0901749DFEB44CFAAD548B9EBFF1EF88300F248459E119A73A0DB349944CB66
                                  Function 0302AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 253 302ae30-302ae3f 254 302ae41-302ae4e call 3029838 253->254 255 302ae6b-302ae6f 253->255 260 302ae50 254->260 261 302ae64 254->261 257 302ae83-302aec4 255->257 258 302ae71-302ae7b 255->258 264 302aed1-302aedf 257->264 265 302aec6-302aece 257->265 258->257 311 302ae56 call 302b0b8 260->311 312 302ae56 call 302b0c8 260->312 261->255 266 302af03-302af05 264->266 267 302aee1-302aee6 264->267 265->264 272 302af08-302af0f 266->272 269 302aef1 267->269 270 302aee8-302aeef call 302a814 267->270 268 302ae5c-302ae5e 268->261 271 302afa0-302afb7 268->271 274 302aef3-302af01 269->274 270->274 284 302afb9-302b018 271->284 275 302af11-302af19 272->275 276 302af1c-302af23 272->276 274->272 275->276 278 302af30-302af39 call 302a824 276->278 279 302af25-302af2d 276->279 285 302af46-302af4b 278->285 286 302af3b-302af43 278->286 279->278 304 302b01a-302b060 284->304 287 302af69-302af76 285->287 288 302af4d-302af54 285->288 286->285 295 302af78-302af96 287->295 296 302af99-302af9f 287->296 288->287 289 302af56-302af66 call 302a834 call 302a844 288->289 289->287 295->296 306 302b062-302b065 304->306 307 302b068-302b093 GetModuleHandleW 304->307 306->307 308 302b095-302b09b 307->308 309 302b09c-302b0b0 307->309 308->309 311->268 312->268
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0302B086
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 3a9d3f1a921eb844e503802cb44c8af9ff0169ad3ce84e7d83e578a90b8ed428
                                  • Instruction ID: 23641bfc639e02b04bd62a879c0187673272b36d41e84297a6b3ee2985024876
                                  • Opcode Fuzzy Hash: 3a9d3f1a921eb844e503802cb44c8af9ff0169ad3ce84e7d83e578a90b8ed428
                                  • Instruction Fuzzy Hash: 8E7158B0A01B158FDBA4DF69D04079ABBF5FF88700F04892DE44ADBA50DB38E845CB91
                                  Function 03024248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 489 3024248-3025a01 CreateActCtxA 492 3025a03-3025a09 489->492 493 3025a0a-3025a64 489->493 492->493 500 3025a73-3025a77 493->500 501 3025a66-3025a69 493->501 502 3025a88 500->502 503 3025a79-3025a85 500->503 501->500 505 3025a89 502->505 503->502 505->505
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 030259F1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 616074a8e1e70ec37b3d111c93e31e8bf2f4c56ae6ca94889274771e3e5fc284
                                  • Instruction ID: 9b1f6dddb1f8f507479528b820f352c48a92fe5cb82076f5677171f38defb0c5
                                  • Opcode Fuzzy Hash: 616074a8e1e70ec37b3d111c93e31e8bf2f4c56ae6ca94889274771e3e5fc284
                                  • Instruction Fuzzy Hash: B441EFB0C00729CBDB24CFAAC884B9EFBF5BF49304F20806AD408AB251DB756945CF95
                                  Function 03025935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 506 3025935-302593c 507 3025944-3025a01 CreateActCtxA 506->507 509 3025a03-3025a09 507->509 510 3025a0a-3025a64 507->510 509->510 517 3025a73-3025a77 510->517 518 3025a66-3025a69 510->518 519 3025a88 517->519 520 3025a79-3025a85 517->520 518->517 522 3025a89 519->522 520->519 522->522
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 030259F1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 5300bdbc832ec08960df5ed1d909385a54382eff53e285d9375888c4467b5f2d
                                  • Instruction ID: 3004ef3ea0bd4d1b7f6835503d3ba8664bda48772247920c77e45c82bca86b90
                                  • Opcode Fuzzy Hash: 5300bdbc832ec08960df5ed1d909385a54382eff53e285d9375888c4467b5f2d
                                  • Instruction Fuzzy Hash: 3D41FEB0C00729CBEB24CFA9C885B8EFBF5BF49304F24806AD408AB251DB756945CF94
                                  Function 0302D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 603 302d2f9-302d2fe 604 302d300-302d304 603->604 605 302d305-302d394 DuplicateHandle 603->605 604->605 606 302d396-302d39c 605->606 607 302d39d-302d3ba 605->607 606->607
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0302D387
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 502f3effb55aa271caec6d8ad7088fd5d5d0b8390ca0a83f5912b4fa3fade334
                                  • Instruction ID: 5cd20aad6999b14a6b028dc3da7b742bc9d1efd755a4f088136a5f0a2c867538
                                  • Opcode Fuzzy Hash: 502f3effb55aa271caec6d8ad7088fd5d5d0b8390ca0a83f5912b4fa3fade334
                                  • Instruction Fuzzy Hash: 1221F4B5D00259DFDB10CF9AD884ADEBBF5EB48310F15801AE918A3210D374A950CFA4
                                  Function 0302D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 610 302d300-302d394 DuplicateHandle 612 302d396-302d39c 610->612 613 302d39d-302d3ba 610->613 612->613
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0302D387
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 45dcbb058e8f6a3837c6c43aa7ec3fb66a471e3bc7893b5ca1157821c920f18d
                                  • Instruction ID: 745ff8ebbdd7e2b113850818c61fe6457c10f102f7fd653fea97b7114d22bffb
                                  • Opcode Fuzzy Hash: 45dcbb058e8f6a3837c6c43aa7ec3fb66a471e3bc7893b5ca1157821c920f18d
                                  • Instruction Fuzzy Hash: 4C21E3B5900248DFDB10CFAAD884ADEBBF8EB48310F14801AE918A7310C378A954CFA5
                                  Function 0302B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 627 302b2a0-302b2e8 629 302b2f0-302b31f LoadLibraryExW 627->629 630 302b2ea-302b2ed 627->630 631 302b321-302b327 629->631 632 302b328-302b345 629->632 630->629 631->632
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0302B101,00000800,00000000,00000000), ref: 0302B312
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: c77b5e45902afdbb0b4a5766f837ff68532c47a09153edaaa13ff06e0f6860ce
                                  • Instruction ID: 75ebf9c87f44c8a60237b0265dcf1adf60e752ba6c4b0180a460fbcce8a72612
                                  • Opcode Fuzzy Hash: c77b5e45902afdbb0b4a5766f837ff68532c47a09153edaaa13ff06e0f6860ce
                                  • Instruction Fuzzy Hash: 691114B68003499FDB10CF9AC844BDEFBF4EB48310F14842AD919A7200C375A545CFA5
                                  Function 0302A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 635 302a870-302b2e8 637 302b2f0-302b31f LoadLibraryExW 635->637 638 302b2ea-302b2ed 635->638 639 302b321-302b327 637->639 640 302b328-302b345 637->640 638->637 639->640
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0302B101,00000800,00000000,00000000), ref: 0302B312
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 378869e07d8099b7ed4f50371eb549787093c5b730043b391392c1e2c87b2d43
                                  • Instruction ID: 5af2ccf75f17dbfd6ccaa847295c8411cbe90a23b9a818c6fe241905898ab97d
                                  • Opcode Fuzzy Hash: 378869e07d8099b7ed4f50371eb549787093c5b730043b391392c1e2c87b2d43
                                  • Instruction Fuzzy Hash: 3411D3B6901359DFDB10CF9AC444A9EFBF4EB58310F14842AD919A7200C375A945CFA5
                                  Function 067181F8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 643 67181f8-67181fa 644 6718202 643->644 645 67181fc-6718200 643->645 646 6718204-6718205 644->646 647 671820a-6718245 call 6715904 644->647 645->644 646->647 650 671824a-671827f GetKeyboardLayout 647->650 652 6718281-6718287 650->652 653 6718288-67182a4 650->653 652->653
                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 0671826E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: a98957988ddf54ff47bb0aecd6106969bef6659bc084b5cc7c45f2fc6d3e9707
                                  • Instruction ID: a24c8c139cf06dd1304de3781405df0bbda9d7ee3659fec6cab07562d2404039
                                  • Opcode Fuzzy Hash: a98957988ddf54ff47bb0aecd6106969bef6659bc084b5cc7c45f2fc6d3e9707
                                  • Instruction Fuzzy Hash: C71186B0C00788CEDB55EFA9C4497DEBFF0EB4A310F10856AD429AB250C3356948CFA2
                                  Function 06718300 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0671835D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: ac6d25bb23d2edcca0d5f1507629cb80bccd04b97740d9983d64cfe27e237f64
                                  • Instruction ID: 9b7a44348f1607520fa21e0fa8c67fa3ff319a34c175c0155a970289d6545f1b
                                  • Opcode Fuzzy Hash: ac6d25bb23d2edcca0d5f1507629cb80bccd04b97740d9983d64cfe27e237f64
                                  • Instruction Fuzzy Hash: EE1145B1800348CFDB10DFAED885BDEBBF8AB48310F14841AD518A7310C378A545CFA6
                                  Function 0302B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0302B086
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2331073365.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_3020000_MSBuild.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 1c7f32afdc3c4f2bd57a3e1fcec587e4054063da23ced952d033052fd24ad942
                                  • Instruction ID: 98b7d786cf438c85ad7bb42b3f07562d714af3b1b864bdab1768575d113c0bfa
                                  • Opcode Fuzzy Hash: 1c7f32afdc3c4f2bd57a3e1fcec587e4054063da23ced952d033052fd24ad942
                                  • Instruction Fuzzy Hash: 9911DFB5C04759CFDB20DF9AC444BDEFBF4AB88610F15842AD829A7210C379A545CFA5
                                  Function 06718208 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 0671826E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: 019455cb124f143901f260400f31cd382a13f1620707d210cefabbc6d6bd7f78
                                  • Instruction ID: cd48890aaab66aa7decc2b8d1dc2057053dbf0f1d7b7ff31951ad82ff6cd3944
                                  • Opcode Fuzzy Hash: 019455cb124f143901f260400f31cd382a13f1620707d210cefabbc6d6bd7f78
                                  • Instruction Fuzzy Hash: 271122B4800748CFDB54EFAAD4497EEBFF4EB49320F10882AD519AB240D775A944CFA5
                                  Function 06715914 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0671835D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 2f30824e167e70e561a956298c2c28a4c9771058ec7610025c3ab9b1fc077a3e
                                  • Instruction ID: 1d176fa6b01995e09d697f2e1dc13799afb78273c61bc0be79a0c074088e4ec1
                                  • Opcode Fuzzy Hash: 2f30824e167e70e561a956298c2c28a4c9771058ec7610025c3ab9b1fc077a3e
                                  • Instruction Fuzzy Hash: FE1115B5800748DFDB50DFAAD885BDEBBF8EB49320F14845AD518A7300C378A944CFA6
                                  Function 0672668B Relevance: .4, Instructions: 440COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb7e8c3b74805b832457fe1aa4091238daa087679202e8a998e95a76681dc086
                                  • Instruction ID: d285bf16efd002ae993400358d8491777076fd3b0d622e7f4f49c40a0bb2368a
                                  • Opcode Fuzzy Hash: fb7e8c3b74805b832457fe1aa4091238daa087679202e8a998e95a76681dc086
                                  • Instruction Fuzzy Hash: DF22BC34A01208CFCB6ADFB4D19899DBBB7FF89305B61456DD505AB351CB36A982CF40
                                  Function 0672C050 Relevance: .4, Instructions: 412COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f02fdf133b4ca49621cdddfb447bb76f7dbc31e4879af9435a44ea43abf5dd63
                                  • Instruction ID: 108bcf59206964ca97ed6d34964725fc648e479edce79f846af68d2231d387bc
                                  • Opcode Fuzzy Hash: f02fdf133b4ca49621cdddfb447bb76f7dbc31e4879af9435a44ea43abf5dd63
                                  • Instruction Fuzzy Hash: 8E02AE70A003168FDBA5DF68C854BAABBF2EF98300F158599D449AB351DB31ED85CF80
                                  Function 06720660 Relevance: .4, Instructions: 407COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77f4293b50d5f6a5008300477a113a89fbe44aa6aa54adc018f7cf2a3d46bc26
                                  • Instruction ID: 79f744050e61ce9634ea53ebf8ab290e1f4ae2550e2d7e11729f28e19a0dd480
                                  • Opcode Fuzzy Hash: 77f4293b50d5f6a5008300477a113a89fbe44aa6aa54adc018f7cf2a3d46bc26
                                  • Instruction Fuzzy Hash: 9FF15934A002199FDB54DFA8D498AAE7BF2FF88300F558469E906EB390DB35DC45CB90
                                  Function 06726698 Relevance: .4, Instructions: 403COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e37c853a8a55cb83f0e245fb3940a71f510a6047f3fdb08c8e658f5704f4c5f8
                                  • Instruction ID: 01f99011aa343fd4d0e992c67cc3d0357c2853806a2df1cad356d9bafbebc70a
                                  • Opcode Fuzzy Hash: e37c853a8a55cb83f0e245fb3940a71f510a6047f3fdb08c8e658f5704f4c5f8
                                  • Instruction Fuzzy Hash: E7129C34A01208CFCB6ADFB4D29899DBBB7FF49305B61456DD505AB351CB36A982CF40
                                  Function 067271F0 Relevance: .4, Instructions: 386COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 591c40479f12a0b23062c54ebf223346781738b063b949d55147e12167239201
                                  • Instruction ID: c8fff9ff3bf582d2463a1c616acac069d59b5067c4b2e11f5dd6f9709c900424
                                  • Opcode Fuzzy Hash: 591c40479f12a0b23062c54ebf223346781738b063b949d55147e12167239201
                                  • Instruction Fuzzy Hash: BEE19E35F0025A8FDB58DFB9D9546AEBBF2AF88310F548029E905EB351EF349C458B90
                                  Function 0672B258 Relevance: .4, Instructions: 381COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b870e05c62976f30ee89bd1e93886dae67585b4aad05c780a3d111e04cd9337b
                                  • Instruction ID: 66b02d48d8e302dc5cc77a05155b7472df259375919a6926fb299e15e5f15317
                                  • Opcode Fuzzy Hash: b870e05c62976f30ee89bd1e93886dae67585b4aad05c780a3d111e04cd9337b
                                  • Instruction Fuzzy Hash: EC021B35A00715CFDB54DF78C854AA9B7B1FF89314F118699E949AB361EB30E981CF80
                                  Function 06727BF0 Relevance: .4, Instructions: 374COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 667454cc7c5418d37cb98335d7e375c4d91e2babc0984e61f89e8f94c7704b03
                                  • Instruction ID: d2d435b68839590fc7b1c1df104b4e8a2b78d15dc2ca3419de1bd9187bb020a3
                                  • Opcode Fuzzy Hash: 667454cc7c5418d37cb98335d7e375c4d91e2babc0984e61f89e8f94c7704b03
                                  • Instruction Fuzzy Hash: 3BC15B32A042764FD769C778C94067ABBA6EF82300B29C5AAD459DF282D732DC43C7D5
                                  Function 06726258 Relevance: .4, Instructions: 350COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3668993c3bc6e98baa9c89cc9f5612170f1ec131aace6497387e026b254b4299
                                  • Instruction ID: 9d96cf6b81d61d798bdcaca58cb25ec58c6380b7c18b01d7f94fc7820819132b
                                  • Opcode Fuzzy Hash: 3668993c3bc6e98baa9c89cc9f5612170f1ec131aace6497387e026b254b4299
                                  • Instruction Fuzzy Hash: 15D17974B042158FDB54DF78D894AAE7BF2EF89300F10846AE5069B791DB31EC46CB90
                                  Function 06725250 Relevance: .3, Instructions: 334COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 223e4ae5e0df5f0bb2f5609873378971dc12d5abbf9079524b94a197b11f7a86
                                  • Instruction ID: 1f6c0af0358c0977832a3c6dd810d7e6dc5ec5f6ca0dc1e3fcc262550bd6db4c
                                  • Opcode Fuzzy Hash: 223e4ae5e0df5f0bb2f5609873378971dc12d5abbf9079524b94a197b11f7a86
                                  • Instruction Fuzzy Hash: D1D1C031A003198FDB55DFB8D844AAEBBF2FF89300F14856AD446AB751EB30E945CB91
                                  Function 0672C041 Relevance: .3, Instructions: 322COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cedf679a84b2b0419318d011a16a331733308e33cfb2aa985da1e10382b2abe9
                                  • Instruction ID: eebb990e76ded234313da2a542c712754f9bd9666890b0928025754a7c9cfbe7
                                  • Opcode Fuzzy Hash: cedf679a84b2b0419318d011a16a331733308e33cfb2aa985da1e10382b2abe9
                                  • Instruction Fuzzy Hash: C7E17C70A00716CFDBA5DF68C444BAABBF1FF55304F258699D449AB252DB30E985CF80
                                  Function 06727830 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f3677ad5df88339b012b36ebc380b9f08198760b901ec4be905eebbd541162d
                                  • Instruction ID: a36becd976139493b7a7e8713c157651d368fe34d3ee9d7308ba5befb813e7ce
                                  • Opcode Fuzzy Hash: 9f3677ad5df88339b012b36ebc380b9f08198760b901ec4be905eebbd541162d
                                  • Instruction Fuzzy Hash: A8C16E35B00216DFDB48CF69D984AAEB7F6FF88214B158529E905E7360EB34EC41CB90
                                  Function 067284A8 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30a07e12cd3dee652ba9c4326e92d812c8824ab20d24b49a08b171c77d38d9d0
                                  • Instruction ID: 662bc4c76b39aca4621d304dc1878e410216cf87331ebd2e19365d4fbd4c8f5a
                                  • Opcode Fuzzy Hash: 30a07e12cd3dee652ba9c4326e92d812c8824ab20d24b49a08b171c77d38d9d0
                                  • Instruction Fuzzy Hash: 89C193B4A09222CFE388CF5AE5A096577B5FB64300B098525E622AF751CB7CED44CFC1
                                  Function 0672C618 Relevance: .3, Instructions: 282COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 292fde21930860db526165fbea6e9e95f721cf35f00797996e615bdf2fb178e9
                                  • Instruction ID: 67934f951b654366fc80fb0a0e45dd3396806e23e2a58224bce5ae2ac1a37739
                                  • Opcode Fuzzy Hash: 292fde21930860db526165fbea6e9e95f721cf35f00797996e615bdf2fb178e9
                                  • Instruction Fuzzy Hash: 87A16C34B012158FEB85EB79C4A4B7E7BF7AFD9200F588469E506EB391DE358C018B91
                                  Function 0672B246 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36974abefb5f34e368bc597b87b7ccb15d94066eb7400a4d3adfac6036a6a896
                                  • Instruction ID: 524eda5124bbf91d1d3bc5d5e3280575bd52991e279870390869d41a23c7fa42
                                  • Opcode Fuzzy Hash: 36974abefb5f34e368bc597b87b7ccb15d94066eb7400a4d3adfac6036a6a896
                                  • Instruction Fuzzy Hash: E9C13A3191071ACFDB11DF78C854AA9B7B1FF49304F118699E989AB261EB30E9C5CF80
                                  Function 06720C98 Relevance: .3, Instructions: 255COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd28d7864f19eb6307c6e22910d7648d8e4c5833ca4551d40600ba8dcdbaf610
                                  • Instruction ID: b9c1eb0d8259c44d5870ae638e0b6ddc852ee814c835a2686116bb00f0868995
                                  • Opcode Fuzzy Hash: cd28d7864f19eb6307c6e22910d7648d8e4c5833ca4551d40600ba8dcdbaf610
                                  • Instruction Fuzzy Hash: F1918C34B012159FC745DF68D89499EBBF6EF89310B2581A9E519DB3B2CB30EC41CBA0
                                  Function 06725B28 Relevance: .3, Instructions: 251COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5a70a97ea10b1d96b43f370379026d13ecf39f12bdfaef60a88f9fbc5f45f4e
                                  • Instruction ID: 3b3ef0e0bcfa602a563ede91d0ce29b87bf9810825ccb2cdf7c873f65e93c229
                                  • Opcode Fuzzy Hash: a5a70a97ea10b1d96b43f370379026d13ecf39f12bdfaef60a88f9fbc5f45f4e
                                  • Instruction Fuzzy Hash: 7FA12535A01259DFDB45CF68D888E99BBF2EF89320F164595E505DB362DB30EC84CB50
                                  Function 06724830 Relevance: .2, Instructions: 234COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd14d2f84e9d10cb4a81bfa9c98105d569e788d8a300ceeceaf11a30b4f4ac0e
                                  • Instruction ID: 7e16c276814ad97ecf309f4eff6cad3c3baf046bf83fbadf3f37cc44088a74e8
                                  • Opcode Fuzzy Hash: dd14d2f84e9d10cb4a81bfa9c98105d569e788d8a300ceeceaf11a30b4f4ac0e
                                  • Instruction Fuzzy Hash: 8181AF71A0025A9FCB44EFB8C840AAF7BF6EF89310F10812AE949DB355DB34D9058B91
                                  Function 0672F618 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: adb022eb8eff795d2018acac0df5d1b6a2cfe85329f0842011b1254950a312c3
                                  • Instruction ID: 9960df9918722935efcd319d620c70adabec6a59bc3d21ce9a32f3126cd36818
                                  • Opcode Fuzzy Hash: adb022eb8eff795d2018acac0df5d1b6a2cfe85329f0842011b1254950a312c3
                                  • Instruction Fuzzy Hash: C0817C34B402118FDB459F79C894A3E7BF6EF89600B188069E905DB3A2DE39DC01CBA1
                                  Function 0672AE10 Relevance: .2, Instructions: 200COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c11856ef12cf4d9fa4658ceb318703479933ca4ece94a90ff0edf2d1e0d086e3
                                  • Instruction ID: e226f8439d81fe8522e5f3491f864817783a95269409ff681075d4b74cc88bd9
                                  • Opcode Fuzzy Hash: c11856ef12cf4d9fa4658ceb318703479933ca4ece94a90ff0edf2d1e0d086e3
                                  • Instruction Fuzzy Hash: 3A71AB30A002169FDB50DF69C894AAFBBF6EF89300F108569E515AB361DB34ED46CBD1
                                  Function 0672E078 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b96dcbbe3b97e7d9abe898239c34f2e524c7db8e3d4c57660ea9ecc4729d8ef
                                  • Instruction ID: 3885c038a9529d62558e68fa9e19eb85a2346f9b80c27719e10800d64a047e84
                                  • Opcode Fuzzy Hash: 8b96dcbbe3b97e7d9abe898239c34f2e524c7db8e3d4c57660ea9ecc4729d8ef
                                  • Instruction Fuzzy Hash: 1A61BE70B002128FDB55EF79C8906AEBBF2EF85300F048968D9169B395DB34EC45CB90
                                  Function 06722080 Relevance: .2, Instructions: 183COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8574a6fba957867cd9842cd30c001dda43ce5d2ab6ae8b2c3b58273904e1fa26
                                  • Instruction ID: 6cb2353c65f1985b4a24e9354978c193d2164456c7f54137dc9f9d6635188600
                                  • Opcode Fuzzy Hash: 8574a6fba957867cd9842cd30c001dda43ce5d2ab6ae8b2c3b58273904e1fa26
                                  • Instruction Fuzzy Hash: 1E517A35B007119FCB64DFB9D88496ABBF2BFC92107148A2DE556CB361DA71EC05CBA0
                                  Function 06726247 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e241ee1c2d9d46cab8ca34191feebd0189f2b93583fe226f2c39be6d40d8cc25
                                  • Instruction ID: 5aed37946826526e36f9e3115500b74cdc1b5f0ea7205348ea74f71d1e5e85f9
                                  • Opcode Fuzzy Hash: e241ee1c2d9d46cab8ca34191feebd0189f2b93583fe226f2c39be6d40d8cc25
                                  • Instruction Fuzzy Hash: EF617E74A00216DFCB54DFA8D494AADBBF2FF89300F10856AE9069B761DB31ED45CB50
                                  Function 06723348 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9b76aaadf1620fb6516dfb6953e7081c8755b609531c268892b3cee0f664b6c
                                  • Instruction ID: ab717e9e1dbddad88459ad746159b1de5ca2bb99fc39a5a95d3826274e7ad84f
                                  • Opcode Fuzzy Hash: f9b76aaadf1620fb6516dfb6953e7081c8755b609531c268892b3cee0f664b6c
                                  • Instruction Fuzzy Hash: 3B51CB30B002168FDB45AB79885063EBBE6FFC9310B648179D90ADB386DE38DC458792
                                  Function 06720651 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07d8a00b07be7f23c49cbcb5d34e746e7e835bfc86ea4ba697070e7236576e9a
                                  • Instruction ID: ff2a3c306ece25b3bd6331183e8158eb52b9ccd16d631433f21a8ce60cb569d9
                                  • Opcode Fuzzy Hash: 07d8a00b07be7f23c49cbcb5d34e746e7e835bfc86ea4ba697070e7236576e9a
                                  • Instruction Fuzzy Hash: 6E712C34A0021ADFDB54DFA8D588AAEBBB2FF48310F454468E9059B361DB31EC85CF90
                                  Function 067222C0 Relevance: .2, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0df6ab15086a530ef3af37e24b394e9cdb823d140f1f1753cda272a353183d86
                                  • Instruction ID: 808cd1d168177727b9abcb8c3d3d5d8bbf3adec3cb9248c261798dc68eb1bdc4
                                  • Opcode Fuzzy Hash: 0df6ab15086a530ef3af37e24b394e9cdb823d140f1f1753cda272a353183d86
                                  • Instruction Fuzzy Hash: D2516E71B013058FDB45AF79941827EB7F3FFC9201B64852AD51ADB380EE389D069B91
                                  Function 06725B1B Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f49960a08ecc85b37213990e1c3f8013fe0604fd79a64e8e679f25d8ec50f2f
                                  • Instruction ID: 95c2dfa0b847740d282b62262a47b6982b6e22088f35cff591e60bdc6f46c3bc
                                  • Opcode Fuzzy Hash: 2f49960a08ecc85b37213990e1c3f8013fe0604fd79a64e8e679f25d8ec50f2f
                                  • Instruction Fuzzy Hash: C1510235A0121AEFDB44CF69D888E9DBBB2EF88320F158569E5059B361D730EC85CB90
                                  Function 06720040 Relevance: .2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e912eb417fd1f6f50455bf33f8d0271178cb417118bab5199a2473a93365f99
                                  • Instruction ID: 6460c4f4136e782756600525bc256f019a24e720c792f38d9fb5fb06f0178108
                                  • Opcode Fuzzy Hash: 0e912eb417fd1f6f50455bf33f8d0271178cb417118bab5199a2473a93365f99
                                  • Instruction Fuzzy Hash: 59517030A102199FDB45EFA8D854AADBBF2FF89300F558069E505EB3A1DF309D46CB91
                                  Function 0672D9A0 Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fafd5243a565f05d00db9bb67ed82060ea37cc918cd549b14573da67b1042f1c
                                  • Instruction ID: ce9ccd5e3b46341918465e56349c9a9bc8acba493c284b61bfe7723ba1501501
                                  • Opcode Fuzzy Hash: fafd5243a565f05d00db9bb67ed82060ea37cc918cd549b14573da67b1042f1c
                                  • Instruction Fuzzy Hash: B151D331A083969FD775CB79D854BBABBB6BF85210F0881AED5458B251DB30DC81CBD0
                                  Function 0672E068 Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f63bff7c1607f579c917ba17dfc78dd2a0f142be8a2e2f6862c6f07a17ca6a7
                                  • Instruction ID: fb16f43a12c252a2e9e15dee8e64d1d54012c7aeffd88460ba6f783956b9b514
                                  • Opcode Fuzzy Hash: 5f63bff7c1607f579c917ba17dfc78dd2a0f142be8a2e2f6862c6f07a17ca6a7
                                  • Instruction Fuzzy Hash: E2519130A00616DFDB54DF79C844AAEB7B2FF85300F148969D5169B365DB30EC45CB90
                                  Function 0672A710 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 66f00c14b2608bf2b3ac7ca9040eb66a6db9a70ca69753e1f32727d398b29047
                                  • Instruction ID: ab41d40fd77661c8a199af15f7602a9afe1c90af9d3b8a5a9b2f8c3e3e023d41
                                  • Opcode Fuzzy Hash: 66f00c14b2608bf2b3ac7ca9040eb66a6db9a70ca69753e1f32727d398b29047
                                  • Instruction Fuzzy Hash: 8F415D30A003168FCB95DFB8D8546AEBBB2FF89300F14856DD509AB355EB35E846CB94
                                  Function 0672A720 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6955964d031f25b388ecb20ce1f2103d979d16f6b0ef5f069748242504edec9e
                                  • Instruction ID: 99ad43d040b9eb2d4592309f718527097542829a3cbf08e5528c33806b38336b
                                  • Opcode Fuzzy Hash: 6955964d031f25b388ecb20ce1f2103d979d16f6b0ef5f069748242504edec9e
                                  • Instruction Fuzzy Hash: D0413934A003168FCB54EF79D8546AEBBB2FF88300F14856DD50AAB354EB35E946CB94
                                  Function 06720007 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69f5edf8556b37af6cfec9c5b24b7db0c5aac5350d9bd8278b4dfdcd11262660
                                  • Instruction ID: 70e6f653e97d536b156c6b4353a87f8e9aff2625ca5b2655015f68300a8930ff
                                  • Opcode Fuzzy Hash: 69f5edf8556b37af6cfec9c5b24b7db0c5aac5350d9bd8278b4dfdcd11262660
                                  • Instruction Fuzzy Hash: 5F41C430A153598FCB55EFB4D8549ADBFB2FF86300F1980A9D401AB261EB309D46CB91
                                  Function 0672D800 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e8cca328db26ee924119f8081c1e2f1e91740dd812560f862009a26dfdf13c7
                                  • Instruction ID: cf65393c4ce09a1eca7d538822d134604e213221efd8a37bef59eead2e61a9db
                                  • Opcode Fuzzy Hash: 3e8cca328db26ee924119f8081c1e2f1e91740dd812560f862009a26dfdf13c7
                                  • Instruction Fuzzy Hash: 77419531E113059FC7449F79D8586EDB7B6FF89300F10862AEA46AB250EF70A984CB91
                                  Function 0672821F Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d62f5fbc4134000aed65417eb375137781cb9bb5e5de97c7618667d9dbf6257c
                                  • Instruction ID: 5c83920fef8edb683d34aa02f06ed27771fade20a032bda03de1ccf050ad6448
                                  • Opcode Fuzzy Hash: d62f5fbc4134000aed65417eb375137781cb9bb5e5de97c7618667d9dbf6257c
                                  • Instruction Fuzzy Hash: 153119B0A006258FDB54DF64E8547EEBBF2FF89300F04862DD1129B391DB31A949CB92
                                  Function 0672DF13 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ca2ce8103536438c3930dde797f3e75b3444167ce86c155d39a27448252446f
                                  • Instruction ID: d89177a9a6e173be320a78e23b5c6372dd4e0f1235d0b88bd59e6908bad00186
                                  • Opcode Fuzzy Hash: 1ca2ce8103536438c3930dde797f3e75b3444167ce86c155d39a27448252446f
                                  • Instruction Fuzzy Hash: FD31D430D093999FDB51DFA8D854AEEBFB5EF46300F0440AAE054B7261C7344D14CBA4
                                  Function 0672634D Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eae7c7017b585be924ae061ba50292ad1ccf79b8d861ba3ff2d9aa96bba3c4d8
                                  • Instruction ID: 6cb24c6f10f7c54675e40d5771e697cc15e44432ae8aa59f3a387ec6b3b9b68b
                                  • Opcode Fuzzy Hash: eae7c7017b585be924ae061ba50292ad1ccf79b8d861ba3ff2d9aa96bba3c4d8
                                  • Instruction Fuzzy Hash: 0C410874A00205DFDB44DFA8D594AADB7F2FF4C305F148469EA06AB790DB32AD52CB60
                                  Function 0672DEB0 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37d2712afa1cc4930b8851d50cfe21b6e8c055c27f5f00f7d89f244ba47ed5f9
                                  • Instruction ID: ca94ae1a0efb09148b60285298cd615906a716a059a79f40404b841bb93e93ed
                                  • Opcode Fuzzy Hash: 37d2712afa1cc4930b8851d50cfe21b6e8c055c27f5f00f7d89f244ba47ed5f9
                                  • Instruction Fuzzy Hash: 3D219270D0A395AFDB42DFA8D854ADEBFB5EF06200F1441AAE054E7262C7354D14CBA5
                                  Function 06725219 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45c666dde51447f41e0d82f1ce23eacbdfab0f803739beadb524cbbc6f99582b
                                  • Instruction ID: c8892c9bb0a4b65d9cffaebb6a544cc9a56447b9628975d5edf10a42af3a3485
                                  • Opcode Fuzzy Hash: 45c666dde51447f41e0d82f1ce23eacbdfab0f803739beadb524cbbc6f99582b
                                  • Instruction Fuzzy Hash: 9E31F3B081026ADFDB45EBB4D8548DDBBF6FF85300F01456DE4017B261EB31A94ACB90
                                  Function 067216D8 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd24c26cb9553fab12807d7f4805d0f0f4053a68e149ddab63d206545f1ac6a5
                                  • Instruction ID: 100c3b7f836f1a712b4f8ee96351829c55c357344c0b1e485f4a28dd77834adb
                                  • Opcode Fuzzy Hash: dd24c26cb9553fab12807d7f4805d0f0f4053a68e149ddab63d206545f1ac6a5
                                  • Instruction Fuzzy Hash: A721F130B0431A9BD791DFA8E80476E7FE2EBC2344F4040AAD214DB351CB798909CBD1
                                  Function 0672A270 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: baebdb0f4455862a5b857fffd951d3eba693ebccfaed6c6116678e328ec7714d
                                  • Instruction ID: 9be187587be70fe649e22b7ffd002e17826712b57d2d8137852e9010ab901f7c
                                  • Opcode Fuzzy Hash: baebdb0f4455862a5b857fffd951d3eba693ebccfaed6c6116678e328ec7714d
                                  • Instruction Fuzzy Hash: 512105327053951FC7559B7DA848D6A3BEBAFCA62071944BAE609CB3A1CE25CC0583A1
                                  Function 06721518 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 935a6cbf0e50f994727a507bdab6e57f1840d05346d88c007c3d9542e4655553
                                  • Instruction ID: 373fbd9bdd7f5b3e6398cad73ab1d2b6925f0148047a95159bfc13f275653a5c
                                  • Opcode Fuzzy Hash: 935a6cbf0e50f994727a507bdab6e57f1840d05346d88c007c3d9542e4655553
                                  • Instruction Fuzzy Hash: D6217E30B1021A8FCB51EF6AD8909AE77F5FF89210B908269D5079B355EF38EC45CB91
                                  Function 06721509 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bdb9f7496e0d04d9760469c24f35d4bd6c1697a10f20b52c2376a56288096b78
                                  • Instruction ID: b7382d2fed99d7c3c62b7c159687e4c2f24e193e36e82d370591a1ad243f5280
                                  • Opcode Fuzzy Hash: bdb9f7496e0d04d9760469c24f35d4bd6c1697a10f20b52c2376a56288096b78
                                  • Instruction Fuzzy Hash: D5219130B103568FDB51EF6AD8909AE77F5FFC9210B808269D5079B251EF28DC45CB91
                                  Function 012AD4C4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330268501.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_12ad000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 793e03a44ecd5a16efa4cc9f91a6677700a40d3a9ed98b6941a60a695efd15a5
                                  • Instruction ID: 34413ca8733462bcd75e136b4a22fda4cab12e51f33c506ad49d76146ed90bf1
                                  • Opcode Fuzzy Hash: 793e03a44ecd5a16efa4cc9f91a6677700a40d3a9ed98b6941a60a695efd15a5
                                  • Instruction Fuzzy Hash: D1214572510208EFDB01DF58E9C0B26BF61FB88318F60C56DE9490B656C336D446CBA2
                                  Function 012AD3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330268501.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_12ad000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac86cc65670f21f1f2fab988901b70c88b7d627099b9e7229d0b1c9acd59c741
                                  • Instruction ID: 85df64f8d1d993d8a2b8597f35612ca4a3a7e6d9e140ec2695ef54c6b43f863d
                                  • Opcode Fuzzy Hash: ac86cc65670f21f1f2fab988901b70c88b7d627099b9e7229d0b1c9acd59c741
                                  • Instruction Fuzzy Hash: D2214576510308EFDB01DF54D9C0B66BF65FB88324F60C16DEA090B656C37AE446CAA2
                                  Function 06722550 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be0a5f7b6791079a5039b7c7e2e199da8de8b950ef3d2634bf83f45dc41ffd26
                                  • Instruction ID: 75f8109344a64c1e6c1195a2e5b89bfdb27c142dbaee590c8c7925ce76a85f17
                                  • Opcode Fuzzy Hash: be0a5f7b6791079a5039b7c7e2e199da8de8b950ef3d2634bf83f45dc41ffd26
                                  • Instruction Fuzzy Hash: 02212474B005158FC744CF6AD998C6ABBFAFF8961472540A9E915EB332CB70ED01CBA1
                                  Function 015CD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330775557.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_15cd000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0fdc05239b6b5b1800b38a04e72d13faeab7cb19e0bd096ce7b19a0367ea1c6
                                  • Instruction ID: ce68e32fe2f02cd9fe39d1f824fa6c48ef99d100686df4a9dce67a22bbde12ed
                                  • Opcode Fuzzy Hash: d0fdc05239b6b5b1800b38a04e72d13faeab7cb19e0bd096ce7b19a0367ea1c6
                                  • Instruction Fuzzy Hash: 3D21F175604204EFDB15DFA8D580B26BBB1FB84714F20C96DD90A9F242D33AD446CAA1
                                  Function 067276A8 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9fe8e5ad913ea793e840f114c48a19ab87abe4808dab484cf54f603c0b6207a3
                                  • Instruction ID: 4650003e8844c6c8b251088efe1dcbf320cc803e6b0d286cf5ea41f97d053d20
                                  • Opcode Fuzzy Hash: 9fe8e5ad913ea793e840f114c48a19ab87abe4808dab484cf54f603c0b6207a3
                                  • Instruction Fuzzy Hash: F3216F312002119FCB55EB78E9549EE7BB6EF8A3107148569D2068B620EF71AD0ACBE4
                                  Function 0672F970 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43ba325b5bb9642f177849dbf04256c944e8e5794fa852dc6d24e858e2856bf3
                                  • Instruction ID: c751ff8a74b3a9cfc7a41b3b6d91a201d4253e9dd880b15a7a014fe605a87692
                                  • Opcode Fuzzy Hash: 43ba325b5bb9642f177849dbf04256c944e8e5794fa852dc6d24e858e2856bf3
                                  • Instruction Fuzzy Hash: 07217F757400259FC784DF2AE888D6EBBFAFF896107158169E509CB361CB75EC01CBA0
                                  Function 0672ADF0 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12b055dac4d2fc58702b4516dfba89e65f5543c2864fe93f4f40634349a500fc
                                  • Instruction ID: a86686554bc1f830b6eccc1857fd88d86572a07506cc68bdca02ec849b9019d7
                                  • Opcode Fuzzy Hash: 12b055dac4d2fc58702b4516dfba89e65f5543c2864fe93f4f40634349a500fc
                                  • Instruction Fuzzy Hash: AC21BE71D0426A9FCB41CBA8C8859AFFFB5EF46210F0181A6D550D7262DB30EA46CBE1
                                  Function 06728128 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f03a2dcc0bf5b9cd69e75fa98d21df4d785396a1320fb9ad07d3b1daf4520207
                                  • Instruction ID: 5f570036e5ab713cf0d4e640097ea8b776929d7117cf711217f83cf25ad9f1de
                                  • Opcode Fuzzy Hash: f03a2dcc0bf5b9cd69e75fa98d21df4d785396a1320fb9ad07d3b1daf4520207
                                  • Instruction Fuzzy Hash: 46212F30600705CFD765EF29E894A6ABBF2FF89310B448A2DD1464B791DA70A98DCB91
                                  Function 06722560 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba98e0337e3c028c657a2dbabf63cb8d3a85a8461b6dc6c2e8d9a8daad324c71
                                  • Instruction ID: 720811fbb0b7678307c1f73fb56e544dc0f003604b2c186840b59e7f85e307aa
                                  • Opcode Fuzzy Hash: ba98e0337e3c028c657a2dbabf63cb8d3a85a8461b6dc6c2e8d9a8daad324c71
                                  • Instruction Fuzzy Hash: C921E474B005158FCB44DF6AD99886AF7F6FF8961572180A9E915EB331CB30ED01CB60
                                  Function 06720F78 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7623e40ab8c94ade2b42fb8005d7413f61823eb7b3d976129f65d15686f3f734
                                  • Instruction ID: e106df7d143f87c78f828b66a5b1ad9e2ff3d75ef775c6b1581874de05a5036b
                                  • Opcode Fuzzy Hash: 7623e40ab8c94ade2b42fb8005d7413f61823eb7b3d976129f65d15686f3f734
                                  • Instruction Fuzzy Hash: F21190316047548FC325DF29D854957BBF2EFCA310704896EE589CB662E671EC06CB90
                                  Function 06723300 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e28944bb39b90f30dbca08bbe58d61816f8b44a23a1f65dfecfc20d94c825a1c
                                  • Instruction ID: 84d4793e60d02e3ca1b4d44adf6246e00dbdf811b532f404bbd1ec7e9b5d3cda
                                  • Opcode Fuzzy Hash: e28944bb39b90f30dbca08bbe58d61816f8b44a23a1f65dfecfc20d94c825a1c
                                  • Instruction Fuzzy Hash: 3A11363560A3A6AFCB438B34EC408A5BF31FF8323130481E3E051CB053DA3A9A59C792
                                  Function 06725660 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7888dcd932d5ec1aa4f9324a15be396e95693d1b2825c1b7412d47fa1f0f3f8e
                                  • Instruction ID: bfb8b0c145332f9d101e4d2d76521579b3392869f63a0d024022340c4c130fd6
                                  • Opcode Fuzzy Hash: 7888dcd932d5ec1aa4f9324a15be396e95693d1b2825c1b7412d47fa1f0f3f8e
                                  • Instruction Fuzzy Hash: 57215C72A106199FC755EFA8C580D9BBBF9FF49310F10856EE146CB650EA30F984CB90
                                  Function 06723338 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e56ed8bce9852636965e3699d7ba0b88ec502797e8fe9fcffb978398d43c6fc9
                                  • Instruction ID: bece2d6fbe479eea7130243056850d30e0e22ec5ff8cbf3eec1cb84f4fa21dcd
                                  • Opcode Fuzzy Hash: e56ed8bce9852636965e3699d7ba0b88ec502797e8fe9fcffb978398d43c6fc9
                                  • Instruction Fuzzy Hash: FC11E732A0522B9FCB518B65DC408A6FB36FF9137071482B6D66587102C736E595C7D1
                                  Function 015CD006 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330775557.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_15cd000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21d2da2520ee20f2a2b611abd4b9db812ae3de574f53675d5a3110cd160d73d6
                                  • Instruction ID: dcb80df5de1602d9f22d032374de3cf726da1ab224df4b3e1a66ba3e820fff38
                                  • Opcode Fuzzy Hash: 21d2da2520ee20f2a2b611abd4b9db812ae3de574f53675d5a3110cd160d73d6
                                  • Instruction Fuzzy Hash: 972180755093809FCB12CF68D594715BF71FB46214F28C5EED8498F6A7C33A980ACBA2
                                  Function 0672C60B Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3ec87349a73be189d00ad450b4fdfc6a87d3aaec80c094b1ef7bd5c5e01b0f1
                                  • Instruction ID: 423a4c348e7d550c1d14af1c1efdb2b9499a434aba7f028de3e2f332295e9bd1
                                  • Opcode Fuzzy Hash: f3ec87349a73be189d00ad450b4fdfc6a87d3aaec80c094b1ef7bd5c5e01b0f1
                                  • Instruction Fuzzy Hash: B911BF31E0011ACFDB95CE99D484BFDB7B5EB5C610F14802AD905B7310DB719C44CBA0
                                  Function 06725098 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 981159916f792fd14bc8990e400ac8e18d2a344066a6cff1737d226db5bbe08b
                                  • Instruction ID: e1474a37cffa88df306fe24884a754c8798b5d0f3d378bc6869361a207a55186
                                  • Opcode Fuzzy Hash: 981159916f792fd14bc8990e400ac8e18d2a344066a6cff1737d226db5bbe08b
                                  • Instruction Fuzzy Hash: 12213871E00219CFDB58DFA9C948ADDBBF2EF8C311F24806AD505B7250EB319984CB60
                                  Function 0672A978 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ecf47f27f2e6d04c1433e27f3f0f041182e865cbea467e93635307642ee4466
                                  • Instruction ID: 0e4bed94aadd2f83280f5b3487038bceab866b251cc293fdd6e5e22ba9df7601
                                  • Opcode Fuzzy Hash: 4ecf47f27f2e6d04c1433e27f3f0f041182e865cbea467e93635307642ee4466
                                  • Instruction Fuzzy Hash: A5112632B053555FE7558B3A581437E3BF79BC6210B4980BBD909D7381EE38CC068351
                                  Function 0672DF8B Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3deb6c029ab5445215845a559d9f6a3b26c3a72fca7a9ae6be26507efc438c0
                                  • Instruction ID: e4a2280e9203cf6edb4066ef0b0aaa12bc20fe52fd05b0ad15fda3c14eecf4a0
                                  • Opcode Fuzzy Hash: c3deb6c029ab5445215845a559d9f6a3b26c3a72fca7a9ae6be26507efc438c0
                                  • Instruction Fuzzy Hash: EF111675E112299FDB54DFA8E844AEEBBB2FF89311F60412AE414B7250CB315849CFA4
                                  Function 0672EA0B Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33b18c2d471bb876b578dc1bec3f1a7aacc658f4dd66afa6f1cdb63a0d55386f
                                  • Instruction ID: de59bd4ba1c0534456eac81cfafcb0e1843404533897e1828a3fb1c7e43faabd
                                  • Opcode Fuzzy Hash: 33b18c2d471bb876b578dc1bec3f1a7aacc658f4dd66afa6f1cdb63a0d55386f
                                  • Instruction Fuzzy Hash: 2A1151757002619FCB55CF19D888E7A7BBAFF89611B098096F909CF265C774CD50CBA0
                                  Function 0672A969 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f199bb39361b5f20a1030d20b61eb1b27756e6e8eda6a93b6ec217f52e83bae5
                                  • Instruction ID: 444adf5bbe343165b341510bf228b58333d747d367013ad7e076c3bfa556b2ba
                                  • Opcode Fuzzy Hash: f199bb39361b5f20a1030d20b61eb1b27756e6e8eda6a93b6ec217f52e83bae5
                                  • Instruction Fuzzy Hash: 6F01F562B093951FD7528B7A181537EBFB68BC7200B0980EBD145CB283E9298C06C361
                                  Function 012AD4BF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330268501.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_12ad000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                  • Instruction ID: 6ae269dee5ad8bbe89ae84f816f8326c3113f4daa1aaea1b552fc8e7eb9e21f4
                                  • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                  • Instruction Fuzzy Hash: 94112676904284DFCB12CF54D5C4B16BF71FB84314F24C6A9D9490B657C33AD45ACBA2
                                  Function 012AD3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330268501.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_12ad000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                  • Instruction ID: 4d6967ca37aa0d8f7fc7482cf0356b3a0bf010763647ede667d26a92700efd0f
                                  • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                  • Instruction Fuzzy Hash: E1112676504284DFDB02CF44D5C4B56BF71FB84324F24C2A9D9090B657C33AE45ACBA2
                                  Function 06720520 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44a0baf940cde3a73e35bfa4996ad224c9a5cea85375792a2c3275bd3843a30e
                                  • Instruction ID: d3829308436b2d25b7e24e01368c740bbe131feef5c9f8f1f4e26f6fe499c5c0
                                  • Opcode Fuzzy Hash: 44a0baf940cde3a73e35bfa4996ad224c9a5cea85375792a2c3275bd3843a30e
                                  • Instruction Fuzzy Hash: 6E11A575A00205DFCB00DF78D844CAFBBF9FF89210B00426AE945D7321DB31A945CBA0
                                  Function 067217F9 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f019fdfa218cfb506a998f133c69625e5936493a2ef3ec19b22b6a00df5b5617
                                  • Instruction ID: ca0b05ca54b44dee7cd2b12deaaba8f1ec2a761510c0e7c221f3109a38f325cd
                                  • Opcode Fuzzy Hash: f019fdfa218cfb506a998f133c69625e5936493a2ef3ec19b22b6a00df5b5617
                                  • Instruction Fuzzy Hash: C411E170A0120EAFCB80EFA8DC017BE7BE5FB81244F5041A9D545EB342DB344A048BE1
                                  Function 06725651 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d14a0d5b8157daaad8952649cf411386ad071efa6a28940c75aad7e3bfeb2ab7
                                  • Instruction ID: e84efa33e219d4a80d4a018b64bd9bc4bcaca5530c878a1172c43784b65403b1
                                  • Opcode Fuzzy Hash: d14a0d5b8157daaad8952649cf411386ad071efa6a28940c75aad7e3bfeb2ab7
                                  • Instruction Fuzzy Hash: 6A110031A003159FD755DF64C890EA77BA9EF46700F04456EE142CB290EA30E885C7A1
                                  Function 0672E8D3 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f30cd045b1b3883ce952492643fe23dcc6175b7884db34daac92dbb1bcdb7ee
                                  • Instruction ID: 6f60827bb120a76eb25eb8455da5635b97bf620bae4683aa8e3cad7ecdcd75d3
                                  • Opcode Fuzzy Hash: 2f30cd045b1b3883ce952492643fe23dcc6175b7884db34daac92dbb1bcdb7ee
                                  • Instruction Fuzzy Hash: 890126319042259FDB658FA9C810BEEBFF2AF88300F14456EE191A3350CB759900CBA1
                                  Function 0672A6A0 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb12563f6c29ccb5a2e2351d0b584d961f876594987f7126362bf899c133e409
                                  • Instruction ID: 85927346bdeb9740eafda051715dbe6d991b5727f6993d89b5df781b5688f996
                                  • Opcode Fuzzy Hash: eb12563f6c29ccb5a2e2351d0b584d961f876594987f7126362bf899c133e409
                                  • Instruction Fuzzy Hash: 9701D870A052559FC7158B7CED8CAAEBFF6EB89310F04056AE602D3361DB719C45CB90
                                  Function 0672DF98 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b4076d17494a3deaef3ecaecb4b1596a2ba56fba18c286916719713e04fb26d
                                  • Instruction ID: 81cd510b8d8638d629b6277dd9a19722227a3d5650782a4f503cd6df2323ed4d
                                  • Opcode Fuzzy Hash: 6b4076d17494a3deaef3ecaecb4b1596a2ba56fba18c286916719713e04fb26d
                                  • Instruction Fuzzy Hash: BB111575E002299FDB04DFA8E844ADDBBF6FF89310F50402AE514B7350CB3158458FA4
                                  Function 0672E980 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56e50750bc261413ecb7504d9b3f96286371938651648835aff6a8363f847ce6
                                  • Instruction ID: b5abb96940204ad45851669733b25745c34c785b746bcebfb16d97ed8116f53a
                                  • Opcode Fuzzy Hash: 56e50750bc261413ecb7504d9b3f96286371938651648835aff6a8363f847ce6
                                  • Instruction Fuzzy Hash: 9911C875900219EFCB81CFA8C9449ADBBF1EF08210F1484AAE989DB351D332DA61EF51
                                  Function 06720530 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d16caad70ae2e761c2af59b63f909d095aa25444ae634295bf081aa7093fb5df
                                  • Instruction ID: a2b8d7ff83c1a764cb64d0bf9b05f4c9f3d616bd79415d976ec75600d4cf485f
                                  • Opcode Fuzzy Hash: d16caad70ae2e761c2af59b63f909d095aa25444ae634295bf081aa7093fb5df
                                  • Instruction Fuzzy Hash: 4F014075A006099FCB44DFA9D848CAEBBF9FF89211B10456AE905D7320DB71A944CBA0
                                  Function 067205E0 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 108a5434e7840197ced206493c4268ace9afd2bba20fb631d0ce62b17a245f4c
                                  • Instruction ID: b2489052c4f990dac65f780cecbeaaadfa3a26243e7c54085a0265ee09ed1786
                                  • Opcode Fuzzy Hash: 108a5434e7840197ced206493c4268ace9afd2bba20fb631d0ce62b17a245f4c
                                  • Instruction Fuzzy Hash: B601D43290110AAFCB01CFA4DC04CEEBFB6EF4A311B1042A6E604EB271D7319D15CBA1
                                  Function 0672CE50 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 182699846ff740cfbc15a6c95ac2408791d3dde089d660f91c9d7fd80e174dc8
                                  • Instruction ID: e1d86b0f704db4d26867df5439ee6c14e1c09acac6a7938a90088564e7437578
                                  • Opcode Fuzzy Hash: 182699846ff740cfbc15a6c95ac2408791d3dde089d660f91c9d7fd80e174dc8
                                  • Instruction Fuzzy Hash: 3D0104353601218FC704CF29D844C69B7E9FF98B2230640AAEA01CB331DA32EC00CB90
                                  Function 012AD655 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330268501.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_12ad000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4d9b7cac14c9793d5bf5804f31b44a93aa876db14e41742d84a5ba864da9886
                                  • Instruction ID: 6d71d2c854d7aee82639d0a417777ed1fb0c849fc704aa8a2c93fa3030b1de80
                                  • Opcode Fuzzy Hash: f4d9b7cac14c9793d5bf5804f31b44a93aa876db14e41742d84a5ba864da9886
                                  • Instruction Fuzzy Hash: DA01F771014348DFF7104E69ED84B66FFA8EF41B24F14C41AEF0C0A682C3799440CAB1
                                  Function 0672EB38 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be09edd1bcdaca5961d99899728a8fe4437e64e458ee11957fab7ba5b3b3c8ad
                                  • Instruction ID: 7f0e26db8e0153818a4036a6ffbbb179f61a9831df93199b8d8e4999964a6c71
                                  • Opcode Fuzzy Hash: be09edd1bcdaca5961d99899728a8fe4437e64e458ee11957fab7ba5b3b3c8ad
                                  • Instruction Fuzzy Hash: 22017831604225AFC701CF48C880C5ABBF9EF482203058A5AF859CB382CA70EC41CB90
                                  Function 0672781F Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d598ca7b92add3c70426ee5a581cb68fe1f113d8ba1648e2d82efc36764646a9
                                  • Instruction ID: 0e9826a584dac97a90a90657b8ced395a5dc023b9af92b2c9b22e6f705d69365
                                  • Opcode Fuzzy Hash: d598ca7b92add3c70426ee5a581cb68fe1f113d8ba1648e2d82efc36764646a9
                                  • Instruction Fuzzy Hash: BCF08B32A04295ABDB084EA5AD009EB7B6ADFC9250B000426ED01E7310EB305C51C6E2
                                  Function 0672A630 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 462de6de2e9c8e01c6cd78149c14df118f03da63484b4a6c2db7f811fa6e6a05
                                  • Instruction ID: 497233f688ed28095cf76d705249c50b11255ab5b12d912f647308d78fae8d76
                                  • Opcode Fuzzy Hash: 462de6de2e9c8e01c6cd78149c14df118f03da63484b4a6c2db7f811fa6e6a05
                                  • Instruction Fuzzy Hash: A5F0A431604211CFC7558B7CA848576B7E7EFC6611B1640AAE146C7761EB728C42CB90
                                  Function 0672E8E0 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 729959dc4c01fed3e4227b174da15d93490a5d725062ee55fbfcb5263d0901d1
                                  • Instruction ID: d5c5472b5a4d86592fb1d045c17d10da8879a4c4d0a0f59b52ce45d102e05704
                                  • Opcode Fuzzy Hash: 729959dc4c01fed3e4227b174da15d93490a5d725062ee55fbfcb5263d0901d1
                                  • Instruction Fuzzy Hash: CB01D431A042699FDB65CFA9C8147AEBFF2AF88300F04456ED592B7280CB759910DBA5
                                  Function 0672A6B0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49504ff3a38898f26f965741f6f758b448a3b3e3bf7e3ad233a6cd88c119f8b1
                                  • Instruction ID: fa9c65bb1b513e509ce0a513f6e59426fd16ea0e914924c40e61bdc8a5b5833b
                                  • Opcode Fuzzy Hash: 49504ff3a38898f26f965741f6f758b448a3b3e3bf7e3ad233a6cd88c119f8b1
                                  • Instruction Fuzzy Hash: 3BF0AF71B002159FCB059F6DD988AAEBBF6FB88210F040169E606D3361CB709C45CB90
                                  Function 0672769D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4373b8b87f3bdb56ddab4d4ec8a94d3b9dc5725cdc34087cadc6a33ffe93c655
                                  • Instruction ID: cb0d5815b6650a26601e8df0c9aa8bf7b05f8d1eb818509e728d32390424a7d8
                                  • Opcode Fuzzy Hash: 4373b8b87f3bdb56ddab4d4ec8a94d3b9dc5725cdc34087cadc6a33ffe93c655
                                  • Instruction Fuzzy Hash: FFF01935700216CBCF49DBA8E9586AC77F2EB88621B250069D6069B760DF31DD49CB90
                                  Function 067276B8 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 60b6f588cf50e205836eacbe9eec8e56efcac2b34233093c4104ce4eb8c63b83
                                  • Instruction ID: 1c7f0eb162d91a5f1957cf22971c2580451ad177d1cca8eabc1351af86bc3d3c
                                  • Opcode Fuzzy Hash: 60b6f588cf50e205836eacbe9eec8e56efcac2b34233093c4104ce4eb8c63b83
                                  • Instruction Fuzzy Hash: 7EF03C312103019BC355EB79E850AAEBBB6EEC63607508A3DD2464B610EF71B90A8BD4
                                  Function 012AD654 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2330268501.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_12ad000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb9ac5edf78d9b3886e7ee55775f650003c59b2a29769251a5bafbcf63615e35
                                  • Instruction ID: eb7cacec943a3d168910f1475eb1250a0a8ad5feafbe86b37bae809acfcea5f8
                                  • Opcode Fuzzy Hash: fb9ac5edf78d9b3886e7ee55775f650003c59b2a29769251a5bafbcf63615e35
                                  • Instruction Fuzzy Hash: 62F06271405344AFF7118E1ADD84B66FFE8EB91724F18C45AEE0C4E697C3799844CAB1
                                  Function 0672A640 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7d13e901c35c5f3968b9050e7edba3ee0f7aee17a081a7e1f481ff68573f4ca
                                  • Instruction ID: 3b36d84f69a029a348fd42ba21aaf8d69ae8e15ca2d2bc9bb6e21e7a9be081c0
                                  • Opcode Fuzzy Hash: a7d13e901c35c5f3968b9050e7edba3ee0f7aee17a081a7e1f481ff68573f4ca
                                  • Instruction Fuzzy Hash: 15F06730710211CFC7A89B6DD848A3673EBEBC9611B164069E20AC77A1EF31CC42CB90
                                  Function 067205F0 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac98f3377e14477e8ad7b5d607736d7e55b84917d2b05fa9f82979e880a83ea3
                                  • Instruction ID: 85cd47d14950f9d11c76685d12ea12ba3c5d7986f94bd436746155d66c8e71dc
                                  • Opcode Fuzzy Hash: ac98f3377e14477e8ad7b5d607736d7e55b84917d2b05fa9f82979e880a83ea3
                                  • Instruction Fuzzy Hash: 86F0193690010AAFCB00DF98D904CDEBBB6EF49310B104165E618AB270D732AA15CB91
                                  Function 067216C7 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d84fce4f7201afba24e53fc064a7fd4c70f64701b62f6036291d84689742054
                                  • Instruction ID: dd8b066ed582d571e2552fe4931433ba020d0757fc70dc8cd001cd15b431c1ce
                                  • Opcode Fuzzy Hash: 6d84fce4f7201afba24e53fc064a7fd4c70f64701b62f6036291d84689742054
                                  • Instruction Fuzzy Hash: 22F05C323083159BD3999BA9EC0065A7B9AEBC1354F5641B9E509CB752CF35D801C7E1
                                  Function 067277F9 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34230d6ec2d05c9ea4fb7e90e93e92a155d5c4ebd3d287c8c594283d8d2f66c1
                                  • Instruction ID: 611fb8ea5633bed89ca8d3f41f3d2a3651834c1732d5f6544be8caeb0b8d6690
                                  • Opcode Fuzzy Hash: 34230d6ec2d05c9ea4fb7e90e93e92a155d5c4ebd3d287c8c594283d8d2f66c1
                                  • Instruction Fuzzy Hash: 3EF05C7160D2A2DFDB9A8FA05D949D77F71EB8521170844AEE811CF012D764C939D311
                                  Function 06724FF3 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4bbe756e6c3737837a5c769a9bde3769f95e14ddba19d24faa3d0c2a45e5be6
                                  • Instruction ID: dfdadd9f1ed2e7795ed556f5ee6e190ecb72c0013861df66d16455ab5509f915
                                  • Opcode Fuzzy Hash: b4bbe756e6c3737837a5c769a9bde3769f95e14ddba19d24faa3d0c2a45e5be6
                                  • Instruction Fuzzy Hash: 3AF03475C052299FCB40EFB8D9095DEBFF4EF45240F10816ADA59EB211E7309AA1CBE1
                                  Function 0672FA29 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b0d82d1c398556312d7351e3be07877e6636f8e5f0aa4872a7c71459bd80190
                                  • Instruction ID: 66e5656aafbca93cd70477a723715b4203dcb881e04a37099138922b8074c302
                                  • Opcode Fuzzy Hash: 3b0d82d1c398556312d7351e3be07877e6636f8e5f0aa4872a7c71459bd80190
                                  • Instruction Fuzzy Hash: 5FF08C30E802699FCB81DFB898005EDBBF4EF4A700B208066D598D7251E7348E01CBD0
                                  Function 0672FD17 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c55c27bbd5f89b7e1bc878f2cb66b35d90ca7d4eec9b711374b81c6c9ccee1cc
                                  • Instruction ID: f9e2a274c4a46e1e6710a8004f2ae5bdd10702bbded9d74a3caf9c048aca91d6
                                  • Opcode Fuzzy Hash: c55c27bbd5f89b7e1bc878f2cb66b35d90ca7d4eec9b711374b81c6c9ccee1cc
                                  • Instruction Fuzzy Hash: 30F0EC316883559FD36687BCD8247657BF8AF46700F5544A9D145CB2F2DB68DC01C7E0
                                  Function 06721679 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b3ad2bcd17736d0f68e376a969a900e356047221594bcea7e821614585921e9
                                  • Instruction ID: ef7a791b47eb1cdbc9f11dd0bf3fe01a97967f56d89dcec8d81639658211a8a5
                                  • Opcode Fuzzy Hash: 1b3ad2bcd17736d0f68e376a969a900e356047221594bcea7e821614585921e9
                                  • Instruction Fuzzy Hash: B7E02B3391466317D76157A8F8443B937C69782224F4D017396088FFC1D996881187E1
                                  Function 06723F60 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97f4133b9da2dab44fa28c09b90f214a8b8d76ecd2379e1fd1b3d61672d3aee0
                                  • Instruction ID: ad163e7d3df58044a226df39d8bed280e2a07ff97be6514f5e57c4d9198288d2
                                  • Opcode Fuzzy Hash: 97f4133b9da2dab44fa28c09b90f214a8b8d76ecd2379e1fd1b3d61672d3aee0
                                  • Instruction Fuzzy Hash: 6FE09232709161AFC7054A3CB8048A67FBF9FCB6213154197E145C7233CA209C83CBA1
                                  Function 06726C77 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53d3b0b43d8f3ec2f44af66223875c41c1920b841fa8791d4d7394b8aecf18ab
                                  • Instruction ID: aa059d5cf51e920ee6dea4b757fece5790e9f41174b7309c819602b59ff683a4
                                  • Opcode Fuzzy Hash: 53d3b0b43d8f3ec2f44af66223875c41c1920b841fa8791d4d7394b8aecf18ab
                                  • Instruction Fuzzy Hash: 5AE0223230D5D24FCB86AB6494081E97F23CB93B9871902FFE202C7A82D6395D47C384
                                  Function 06721688 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c52532ab9ea09c1f94cacdf67182957676206b657a3bec0d683cb700c5eafe1
                                  • Instruction ID: 7c401fc19204ee8832321983bb8e43160b307e61eb223a95111f85502201633b
                                  • Opcode Fuzzy Hash: 1c52532ab9ea09c1f94cacdf67182957676206b657a3bec0d683cb700c5eafe1
                                  • Instruction Fuzzy Hash: 2AE02C33A2023303DB249398F4483BA33CAAB80228F084073DA0C8FF80C9E8881287D0
                                  Function 0672FD28 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a60d7ebb87f8b6a43f277827442d2d80cabd9c7d452abc5b880bf9eaac44d674
                                  • Instruction ID: ad98c9487421bf459fad6a648b8a3a7c18a31c690c9cc5f95d2c6d09e406bc9a
                                  • Opcode Fuzzy Hash: a60d7ebb87f8b6a43f277827442d2d80cabd9c7d452abc5b880bf9eaac44d674
                                  • Instruction Fuzzy Hash: 9EE026327803148BD324D6BCE010B72B7EDAF49320F54007EE206CB2A0CA20DC00C3A4
                                  Function 06725000 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f141b4f5ee86ac050603887108bf3b0db139a79311e1055bb7a6cf6017ae51dd
                                  • Instruction ID: aa74d7ed98d70d4a6ad6eafe9e91de162dd8b696b022f41e7df30771e484e548
                                  • Opcode Fuzzy Hash: f141b4f5ee86ac050603887108bf3b0db139a79311e1055bb7a6cf6017ae51dd
                                  • Instruction Fuzzy Hash: D1F01571C00219CFCB40EFB8D9001EEBBF4EF05300F108126D949E7210E7305A548BC1
                                  Function 0672FA38 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf45bc481e97b7bc388fb598155304b326e1f86245a4f2bf7ae640472ad64ed1
                                  • Instruction ID: eb1ba71b1e00b38a8ff53c03e3a4ecec05e1ee561587f86b884b1ef99bf91d82
                                  • Opcode Fuzzy Hash: cf45bc481e97b7bc388fb598155304b326e1f86245a4f2bf7ae640472ad64ed1
                                  • Instruction Fuzzy Hash: 56E01A71E00219AF8B80EFB9D9045EEBBF9EF48210B208166D918E7210E7349E10CBD0
                                  Function 06725313 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c22bd683e814373279cd51db34d5c8332e52fca9e8db9c271eb0c7efa07d6b75
                                  • Instruction ID: d303e0a28682516c9cf8143b98cd88070f8fc899e731c97911b3b0e1af3c37d8
                                  • Opcode Fuzzy Hash: c22bd683e814373279cd51db34d5c8332e52fca9e8db9c271eb0c7efa07d6b75
                                  • Instruction Fuzzy Hash: A7F06D7084475ACFEB41EFB4C4146ADBBB0AF0A344F10055AD442AB291EB305985CB81
                                  Function 06722520 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00d52ba69957167051871426674fd5a4b87c7d5573c4f84de21f1e4a6f018bd4
                                  • Instruction ID: 5593590b1863b2e167ac6dea4e6872204943ee32b96ff9c9e02f8202e08fbdee
                                  • Opcode Fuzzy Hash: 00d52ba69957167051871426674fd5a4b87c7d5573c4f84de21f1e4a6f018bd4
                                  • Instruction Fuzzy Hash: 7ED05B357105105F4A04561FE40885EF7EFEFD9A2131540A7F509C3330CFB0DC0246A4
                                  Function 0672A8E8 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b38ec8114b7e77938d02e9907ecbaf49dd5d38c8e8df4e7d7ab1dd180be5fe8
                                  • Instruction ID: 07b0e09696b491784f198971b8253c51071173ca17e37e7f41024fb7fe320f77
                                  • Opcode Fuzzy Hash: 0b38ec8114b7e77938d02e9907ecbaf49dd5d38c8e8df4e7d7ab1dd180be5fe8
                                  • Instruction Fuzzy Hash: 55D02B342053A29FD7438F21A02107D7E12DF5721072500A6E842DB652DE698C4383E3
                                  Function 06723F70 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7379b1bcbf6929357d887cbea91bea3a68339967432735aa2b59a51e0093403a
                                  • Instruction ID: 548ebc08fdb3bd3e6ba451f247b9008a1f360fb3e0743369a83567d2eb98a20b
                                  • Opcode Fuzzy Hash: 7379b1bcbf6929357d887cbea91bea3a68339967432735aa2b59a51e0093403a
                                  • Instruction Fuzzy Hash: 94D05E327100209F87049F1EE50486ABBEFDFC963132540ABE109C7322CA71EC03CBA0
                                  Function 06726C88 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f22a5c89c02e9547e6033695a13b9b449defdd0395ba9692c3c07930691974b1
                                  • Instruction ID: f04eb1f68bee5e00839935f182ebb861b33d0d9f416f7e2bbf44d8d0ba4a2c87
                                  • Opcode Fuzzy Hash: f22a5c89c02e9547e6033695a13b9b449defdd0395ba9692c3c07930691974b1
                                  • Instruction Fuzzy Hash: E8D0A732304824478F446B18E4094ED376BDF857A53198136F706C7B80CF76AC1387C8
                                  Function 067214D9 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 730eb9a53ebffa899fcbb0b215c04679b619d2a4a3a0ef5f67ba63bae93be073
                                  • Instruction ID: 85ea7e6fcdaf128ed12494974e13bb824661695346f019a4db83a8a5274178ae
                                  • Opcode Fuzzy Hash: 730eb9a53ebffa899fcbb0b215c04679b619d2a4a3a0ef5f67ba63bae93be073
                                  • Instruction Fuzzy Hash: 63E0C23041A7D1CFCB22CF30E8147563F32FB06245F48009AE051AA063D62C8804CB91
                                  Function 0672A610 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8240e125401aab6fb725206b517a5c09081bedb7c82fd36218d73ee96f73f980
                                  • Instruction ID: 5eb87c440e0076e670212ef40097c973f36dd6bf0a80c20ef2b9c63d3df74437
                                  • Opcode Fuzzy Hash: 8240e125401aab6fb725206b517a5c09081bedb7c82fd36218d73ee96f73f980
                                  • Instruction Fuzzy Hash: 19C08C30590109CFCB40ABA8F1489B43BA9EF8462931040A2F61C87A32FB22EC008A40
                                  Function 0672015E Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339078927.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6720000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2874886de351fe79f42dd7db4c0e2f434c2c6666bf5ed5c2aa4669c0f945b86e
                                  • Instruction ID: e169930efd9fe7039f3afef6444eb74fb7f51728f5e4c9f79e9e703f6659dd17
                                  • Opcode Fuzzy Hash: 2874886de351fe79f42dd7db4c0e2f434c2c6666bf5ed5c2aa4669c0f945b86e
                                  • Instruction Fuzzy Hash: 0FD0927054520ACFE710DF50C66ABAE7B71FB04318F600818D002BA6A1C7768A85CBA1

                                  Non-executed Functions

                                  Function 06718872 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef3aae9bc2e17c13ce42fea4e3ab55a900cf6667a9c9d8f4bb85806b6e78489e
                                  • Instruction ID: 08d103e164fc1e09914f5bc1e73bd851db8e2fa2581633d70c5c061e16a3d8f8
                                  • Opcode Fuzzy Hash: ef3aae9bc2e17c13ce42fea4e3ab55a900cf6667a9c9d8f4bb85806b6e78489e
                                  • Instruction Fuzzy Hash: 07C1AF74E01258CFDB54DFA9C890BADBBB2BF89300F2081AAD419AB354DB355D86CF51
                                  Function 06718880 Relevance: .3, Instructions: 257COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2fb8346b5693378086ebc6dbb90ffb2351bdb15b49298b19db263d019c55429
                                  • Instruction ID: afbdfd2158bea8eac2b650a17a3561f03fb6f0a37ff3e0065de8dec2c9b7dc3a
                                  • Opcode Fuzzy Hash: b2fb8346b5693378086ebc6dbb90ffb2351bdb15b49298b19db263d019c55429
                                  • Instruction Fuzzy Hash: F2C19F74E01218CFDB54DFA9C890B9EBBB2BF89300F2081AAD419AB354DB355D86CF51
                                  Function 06713C93 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4644dfb6e5df499d11ee192308ba8c7a2274e5712fc5f771860f4af2596b4589
                                  • Instruction ID: e23c24db90737c6d1ccdf54b6eb2006e8eea0e74342da2d4bd03136a20d1ead5
                                  • Opcode Fuzzy Hash: 4644dfb6e5df499d11ee192308ba8c7a2274e5712fc5f771860f4af2596b4589
                                  • Instruction Fuzzy Hash: 75014F34E00318EFCB45CF88D845AADB7B4EF4A311F114196E519AF262C7319D50CB90
                                  Function 0671A7CC Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2339001011.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6710000_MSBuild.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6bda0aa615b971c4dd824ae114d9d1943d3b2cb5fbb56fe61c7bd587ed5b4ab8
                                  • Instruction ID: 1ca1cf05d5f2c5bf3526e07001fc30958fc8837ca3ec85bdc346b199ccef8649
                                  • Opcode Fuzzy Hash: 6bda0aa615b971c4dd824ae114d9d1943d3b2cb5fbb56fe61c7bd587ed5b4ab8
                                  • Instruction Fuzzy Hash: 0BF0C970C85259CFEB659F58D8587BDFAB0AF06305F10A55AC4067B140C7744689CFC4