Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
StrangeOstrumV2.exe

Overview

General Information

Sample name:StrangeOstrumV2.exe
Analysis ID:1465689
MD5:d16418fbada8f2a6f41b58b0666c2bda
SHA1:918047757fafd633f111fc9c47b90e5611341aab
SHA256:6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • StrangeOstrumV2.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\StrangeOstrumV2.exe" MD5: D16418FBADA8F2A6F41B58B0666C2BDA)
    • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.196.9.26:6302", "Authorization Header": "1d35c3d8e5f5b5bc719234554ae131d3"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000003.00000002.2128236804.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: StrangeOstrumV2.exe PID: 6508JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.StrangeOstrumV2.exe.6cf4f000.5.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.StrangeOstrumV2.exe.6cf4f000.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    3.2.MSBuild.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.StrangeOstrumV2.exe.6cf30000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/02/24-00:14:56.057211
                        SID:2043234
                        Source Port:6302
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-00:15:03.599918
                        SID:2043231
                        Source Port:49704
                        Destination Port:6302
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-00:14:55.781650
                        SID:2046045
                        Source Port:49704
                        Destination Port:6302
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/02/24-00:15:01.393903
                        SID:2046056
                        Source Port:6302
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: StrangeOstrumV2.exeAvira: detected
                        Found malware configuration
                        Source: 0.2.StrangeOstrumV2.exe.6cf30000.4.unpackMalware Configuration Extractor: RedLine {"C2 url": "185.196.9.26:6302", "Authorization Header": "1d35c3d8e5f5b5bc719234554ae131d3"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllReversingLabs: Detection: 55%
                        Multi AV Scanner detection for submitted file
                        Source: StrangeOstrumV2.exeReversingLabs: Detection: 48%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: StrangeOstrumV2.exeJoe Sandbox ML: detected
                        Source: StrangeOstrumV2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: StrangeOstrumV2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF40228 FindFirstFileExW,0_2_6CF40228

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 185.196.9.26:6302
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 185.196.9.26:6302
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.196.9.26:6302 -> 192.168.2.5:49704
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.196.9.26:6302 -> 192.168.2.5:49704
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 185.196.9.26:6302
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.196.9.26:6302
                        Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002CE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002CE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: StrangeOstrumV2.exe, StrangeOstrumV2.exe, 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2128236804.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

                        System Summary

                        barindex
                        PE file contains section with special chars
                        Source: StrangeOstrumV2.exeStatic PE information: section name: qq9WI>4z
                        PE file has nameless sections
                        Source: StrangeOstrumV2.exeStatic PE information: section name:
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF328C0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_6CF328C0
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF328C00_2_6CF328C0
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF330C00_2_6CF330C0
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF311E00_2_6CF311E0
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3ACE00_2_6CF3ACE0
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF467C50_2_6CF467C5
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030173300_2_03017330
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_03012BB80_2_03012BB8
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030165000_2_03016500
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030179280_2_03017928
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030121870_2_03012187
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030118A80_2_030118A8
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030167080_2_03016708
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_03012AD00_2_03012AD0
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030166F80_2_030166F8
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030179170_2_03017917
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030175400_2_03017540
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030140000_2_03014000
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030140100_2_03014010
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030118100_2_03011810
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_0301182F0_2_0301182F
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030134A80_2_030134A8
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_030134B80_2_030134B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_00F8DC743_2_00F8DC74
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: String function: 6CF3BD50 appears 33 times
                        Source: StrangeOstrumV2.exe, 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameLeve.exe8 vs StrangeOstrumV2.exe
                        Source: StrangeOstrumV2.exe, 00000000.00000000.2018154025.0000000000E4C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCosmicEdge72981679041.exeT vs StrangeOstrumV2.exe
                        Source: StrangeOstrumV2.exe, 00000000.00000002.2033540432.000000000134E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs StrangeOstrumV2.exe
                        Source: StrangeOstrumV2.exeBinary or memory string: OriginalFilenameCosmicEdge72981679041.exeT vs StrangeOstrumV2.exe
                        Source: StrangeOstrumV2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: StrangeOstrumV2.exeStatic PE information: Section: qq9WI>4z ZLIB complexity 1.0003341490963855
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_03
                        Source: StrangeOstrumV2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002D76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: StrangeOstrumV2.exeReversingLabs: Detection: 48%
                        Source: unknownProcess created: C:\Users\user\Desktop\StrangeOstrumV2.exe "C:\Users\user\Desktop\StrangeOstrumV2.exe"
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: StrangeOstrumV2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: StrangeOstrumV2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeUnpacked PE file: 0.2.StrangeOstrumV2.exe.df0000.0.unpack qq9WI>4z:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
                        Source: StrangeOstrumV2.exeStatic PE information: section name: qq9WI>4z
                        Source: StrangeOstrumV2.exeStatic PE information: section name:
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_00E20918 push es; ret 0_2_00E20919
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF46EF4 push ecx; ret 0_2_6CF46F07
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_03015801 push ebp; retf 0_2_03015802
                        Source: StrangeOstrumV2.exeStatic PE information: section name: qq9WI>4z entropy: 7.999101795606584
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: StrangeOstrumV2.exe PID: 6508, type: MEMORYSTR
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 57B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 67B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 68E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 78E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 7DB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 8DB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: 9DB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 569Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2190Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exe TID: 2128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4024Thread sleep count: 569 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4024Thread sleep count: 2190 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2140Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF40228 FindFirstFileExW,0_2_6CF40228
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655LRcq
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: MSBuild.exe, 00000003.00000002.2130743477.0000000000B8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002FAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: MSBuild.exe, 00000003.00000002.2136896387.0000000003CDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000003454000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655LRcq
                        Source: MSBuild.exe, 00000003.00000002.2132044966.0000000002B97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3BBDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF3BBDA
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF4194B GetProcessHeap,0_2_6CF4194B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3BBDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF3BBDA
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3FB77 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF3FB77
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3B701 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CF3B701
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF330C0 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_6CF330C0
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 782008Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3BD98 cpuid 0_2_6CF3BD98
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeQueries volume information: C:\Users\user\Desktop\StrangeOstrumV2.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\StrangeOstrumV2.exeCode function: 0_2_6CF3B823 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CF3B823
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.StrangeOstrumV2.exe.6cf4f000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.StrangeOstrumV2.exe.6cf4f000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.StrangeOstrumV2.exe.6cf30000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2128236804.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: StrangeOstrumV2.exe PID: 6508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 368, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 368, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.StrangeOstrumV2.exe.6cf4f000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.StrangeOstrumV2.exe.6cf4f000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.StrangeOstrumV2.exe.6cf30000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2128236804.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: StrangeOstrumV2.exe PID: 6508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 368, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		12
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory341
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSync124
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        StrangeOstrumV2.exe49%ReversingLabsWin32.Spyware.RedLine
                        StrangeOstrumV2.exe100%AviraHEUR/AGEN.1311437
                        StrangeOstrumV2.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\d3d9.dll100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\d3d9.dll56%ReversingLabsWin32.Trojan.LummaStealer

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://tempuri.org/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                        185.196.9.26:63020%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                        http://tempuri.org/D0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        185.196.9.26:6302true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabMSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDMSBuild.exe, 00000003.00000002.2132044966.0000000002CE3000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id4MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id7MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/ipStrangeOstrumV2.exe, StrangeOstrumV2.exe, 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2128236804.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id22MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23MSBuild.exe, 00000003.00000002.2132044966.0000000002C9F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id18MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1MSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000003.00000002.2136896387.0000000003AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trustMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id3ResponseDMSBuild.exe, 00000003.00000002.2132044966.0000000002CE3000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2132044966.0000000002A71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/DMSBuild.exe, 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.196.9.26
                        		unknownSwitzerland
                        		42624SIMPLECARRIERCHtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1465689
                        Start date and time:2024-07-02 00:14:04 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 19s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:4
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:StrangeOstrumV2.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 55
                        • Number of non-executed functions: 27
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: StrangeOstrumV2.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        18:15:02API Interceptor15x Sleep call for process: MSBuild.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.196.9.26BqDa1EBEUK.exeGet hashmaliciousRedLineBrowse
                          software.exeGet hashmaliciousRedLineBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SIMPLECARRIERCHBqDa1EBEUK.exeGet hashmaliciousRedLineBrowse
                            • 185.196.9.26
                            Jr7B1jZMaT.exeGet hashmaliciousNovaSentinelBrowse
                            • 185.196.9.89
                            software.exeGet hashmaliciousRedLineBrowse
                            • 185.196.9.26
                            rIlzbkxg.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.9.150
                            AaSwePhLEn.exeGet hashmaliciousRHADAMANTHYSBrowse
                            • 185.196.9.57
                            rlytKovocev.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            rrTqdiabb.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.9.150
                            8uy7ZljOoi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12
                            Dekont-31.05.2024.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 185.196.11.12

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3094
                            Entropy (8bit):5.33145931749415
                            Encrypted:false
                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                            MD5:3FD5C0634443FB2EF2796B9636159CB6
                            SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                            SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                            SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StrangeOstrumV2.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\StrangeOstrumV2.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):42
                            Entropy (8bit):4.0050635535766075
                            Encrypted:false
                            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                            MD5:84CFDB4B995B1DBF543B26B86C863ADC
                            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                            C:\Users\user\AppData\Roaming\d3d9.dll

                            Download File
                            Process:C:\Users\user\Desktop\StrangeOstrumV2.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):426496
                            Entropy (8bit):5.904549086124832
                            Encrypted:false
                            SSDEEP:6144:/8mSgxOO/OgiPPTZcU6F8ap77RAAKZHp4tJqcVoBRQw:UmSgqgiPDnK77RAAKQqlLZ
                            MD5:D922CE4F3346515CA2B68E2087968B2F
                            SHA1:795D03F4EA0F6D9EA34E54D6BFA89299C6D667EC
                            SHA-256:4BCC0D0119071AE3DCD6377680F762E631591F9DC5EA45A68AD943A48B1F6D1B
                            SHA-512:95FDD75A779422174685C91D9782D9D3607D2F7638FCB94A2A19399317D18C8BBEE10CB71738347F55EC87A4B2B705DFBEC995182E6F149C28BB76DBA0A1C566
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 56%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L....Z.f...........!...&.b...&...........................................................@.............................x...x...<...............................L... ...............................`...@...............P............................text...Ca.......b.................. ..`.rdata...d.......f...f..............@..@.data...\...........................@....reloc..L............n..............@..B................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.166152221610949
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                            • Win32 Executable (generic) a (10002005/4) 49.96%
                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:StrangeOstrumV2.exe
                            File size:364'544 bytes
                            MD5:d16418fbada8f2a6f41b58b0666c2bda
                            SHA1:918047757fafd633f111fc9c47b90e5611341aab
                            SHA256:6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e
                            SHA512:0bc4daeb51b6596e248e861b3c293a0d58ffeb46746dd16db42c337fb3b415648d79975af298ea0043393f0063ff43b938ab6097690c756723ce26ef04725fd1
                            SSDEEP:6144:XYLVGAk69fIESPUSyvC3WvwKP2XYvy07e1hQRpsJQlGNc8NJRxx+G8WM1ofwipTs:XrAk69fNSGpMYP7uh2sJQlGNc8NJRxxE
                            TLSH:F27462DDB65076DFC867D462DEA82CA8EA6035BB932F4203912715ADDA4C897CF140F2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.f.................D...H...........`... ....@.. ....................... ............@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x46000a
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows cui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66815AC5 [Sun Jun 30 13:16:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00460000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x367500x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x708.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x600000x8
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x360000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            qq9WI>4z0x20000x33d180x33e00f57ccddcf413af6e1616a6326154941fFalse1.0003341490963855data7.999101795606584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .text0x360000x240600x24200fc44d16c3f2f110dfe40061d1af20a7dFalse0.3633082828719723data4.652421089344327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x5c0000x7080x8002e7baaf33ee86baa08da3fd63a36c22eFalse0.3720703125data3.804664053466187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x5e0000xc0x2001e37c0bd08615c8250069f61ab34fa51False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            0x600000x100x20088a4aa968e4a664498a0ecea4cd0615cFalse0.044921875data0.12227588125913882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x5c0a00x478data0.3968531468531469
                            RT_MANIFEST0x5c5180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            07/02/24-00:14:56.057211TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response630249704185.196.9.26192.168.2.5
                            07/02/24-00:15:03.599918TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497046302192.168.2.5185.196.9.26
                            07/02/24-00:14:55.781650TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497046302192.168.2.5185.196.9.26
                            07/02/24-00:15:01.393903TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)630249704185.196.9.26192.168.2.5

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 2, 2024 00:14:51.883590937 CEST49674443192.168.2.523.1.237.91
                            Jul 2, 2024 00:14:51.883605003 CEST49675443192.168.2.523.1.237.91
                            Jul 2, 2024 00:14:52.008654118 CEST49673443192.168.2.523.1.237.91
                            Jul 2, 2024 00:14:54.913260937 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:14:54.920161009 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:14:54.920242071 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:14:54.995621920 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:14:55.003267050 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:14:55.748958111 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:14:55.781650066 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:14:55.786439896 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:14:56.057210922 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:14:56.102480888 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:01.106290102 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:01.113192081 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.393903017 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.393940926 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.393953085 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.394031048 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:01.394052982 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.394088984 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.394094944 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:01.394136906 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.394149065 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:01.394172907 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:01.446180105 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:01.492993116 CEST49674443192.168.2.523.1.237.91
                            Jul 2, 2024 00:15:01.494512081 CEST49675443192.168.2.523.1.237.91
                            Jul 2, 2024 00:15:01.617986917 CEST49673443192.168.2.523.1.237.91
                            Jul 2, 2024 00:15:03.131170034 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:03.136182070 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136210918 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136219978 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136229992 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136251926 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:03.136298895 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:03.136548996 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136594057 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136626005 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:03.136661053 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136671066 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.136687994 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.138050079 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.141710997 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.141721010 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.141855001 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.141864061 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.141899109 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.141907930 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.142004013 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.142013073 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.142066002 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.275608063 CEST4434970323.1.237.91192.168.2.5
                            Jul 2, 2024 00:15:03.275719881 CEST49703443192.168.2.523.1.237.91
                            Jul 2, 2024 00:15:03.594124079 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:03.599917889 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:03.604854107 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:04.195666075 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:04.195799112 CEST630249704185.196.9.26192.168.2.5
                            Jul 2, 2024 00:15:04.195862055 CEST497046302192.168.2.5185.196.9.26
                            Jul 2, 2024 00:15:04.247232914 CEST497046302192.168.2.5185.196.9.26

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:18:14:52
                            Start date:01/07/2024
                            Path:C:\Users\user\Desktop\StrangeOstrumV2.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\StrangeOstrumV2.exe"
                            Imagebase:0xdf0000
                            File size:364'544 bytes
                            MD5 hash:D16418FBADA8F2A6F41B58B0666C2BDA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:18:14:52
                            Start date:01/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:18:14:53
                            Start date:01/07/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0x540000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2128236804.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2132044966.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:19.6%
                              Dynamic/Decrypted Code Coverage:3.3%
                              Signature Coverage:6.8%
                              Total number of Nodes:961
                              Total number of Limit Nodes:9
                              execution_graph 11259 3017928 11263 3017940 11259->11263 11260 3017b3e 11263->11260 11266 3018140 11263->11266 11270 3018138 11263->11270 11274 3016fdc 11263->11274 11278 3016fe8 11263->11278 11267 301817e 11266->11267 11282 6cf330c0 11267->11282 11271 301817e 11270->11271 11273 6cf330c0 46 API calls 11271->11273 11272 30181a1 11272->11263 11273->11272 11275 3018290 FindCloseChangeNotification 11274->11275 11277 30182fe 11275->11277 11277->11263 11279 3017f00 LoadLibraryW 11278->11279 11281 3017f7f 11279->11281 11281->11263 11303 6cf330e0 __FrameHandler3::FrameUnwindToState 11282->11303 11283 6cf38cc2 Wow64GetThreadContext 11283->11303 11284 6cf3a9f4 VirtualAllocEx 11284->11303 11285 6cf39d85 WriteProcessMemory 11285->11303 11286 6cf38a9a CreateProcessW 11286->11303 11287 6cf3a095 Wow64SetThreadContext ResumeThread 11287->11303 11288 6cf38ba0 VirtualAlloc 11288->11303 11289 6cf39c85 ReadProcessMemory 11289->11303 11290 6cf38f5e WriteProcessMemory 11290->11303 11291 6cf39fdd WriteProcessMemory 11291->11303 11292 6cf3ac36 SetThreadContext ResumeThread 11292->11303 11293 6cf392bb WriteProcessMemory 11293->11303 11294 6cf3abe6 WriteProcessMemory 11294->11303 11295 6cf3a4d5 11340 6cf3b390 11295->11340 11297 30181a1 11297->11263 11298 6cf3a21e CloseHandle CloseHandle 11298->11303 11301 6cf353c4 GetConsoleWindow ShowWindow 11309 6cf311e0 11301->11309 11303->11283 11303->11284 11303->11285 11303->11286 11303->11287 11303->11288 11303->11289 11303->11290 11303->11291 11303->11292 11303->11293 11303->11294 11303->11295 11303->11298 11303->11301 11304 6cf311e0 21 API calls 11303->11304 11305 6cf3a97c VirtualAlloc 11303->11305 11307 6cf38ec9 VirtualAllocEx 11303->11307 11308 6cf3a9c7 GetThreadContext 11303->11308 11329 6cf328c0 11303->11329 11336 6cf31020 11303->11336 11304->11303 11305->11303 11307->11303 11308->11303 11318 6cf31208 __InternalCxxFrameHandler 11309->11318 11310 6cf31ce8 CreateFileMappingA 11310->11318 11311 6cf31ea1 MapViewOfFile 11311->11318 11312 6cf3261c FindCloseChangeNotification CloseHandle 11312->11318 11313 6cf32299 VirtualProtect 11313->11318 11314 6cf32742 11315 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11314->11315 11316 6cf3274c 11315->11316 11316->11303 11317 6cf327e5 CloseHandle 11317->11318 11318->11310 11318->11311 11318->11312 11318->11313 11318->11314 11318->11317 11319 6cf31b42 K32GetModuleInformation GetModuleFileNameA CreateFileA 11318->11319 11320 6cf32460 VirtualProtect 11318->11320 11321 6cf32753 GetCurrentProcess 11318->11321 11324 6cf32653 CloseHandle 11318->11324 11325 6cf31856 GetCurrentProcess 11318->11325 11327 6cf31dfb CloseHandle 11318->11327 11319->11318 11320->11318 11322 6cf3bf90 __FrameHandler3::FrameUnwindToState 11321->11322 11323 6cf3278e GetModuleHandleA 11322->11323 11323->11318 11324->11318 11347 6cf3bf90 11325->11347 11327->11318 11333 6cf32919 __FrameHandler3::FrameUnwindToState 11329->11333 11330 6cf32ed7 11331 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11330->11331 11332 6cf32ee7 VirtualAllocEx 11331->11332 11332->11303 11333->11330 11334 6cf32b9d GetModuleHandleW GetProcAddress 11333->11334 11335 6cf32c0a NtQueryInformationProcess 11333->11335 11334->11333 11335->11333 11337 6cf31076 11336->11337 11338 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11337->11338 11339 6cf311b5 11338->11339 11339->11303 11341 6cf3b399 IsProcessorFeaturePresent 11340->11341 11342 6cf3b398 11340->11342 11344 6cf3b73e 11341->11344 11342->11297 11349 6cf3b701 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11344->11349 11346 6cf3b821 11346->11297 11348 6cf318d0 GetModuleHandleA 11347->11348 11348->11318 11349->11346 11350 3016428 11351 3016470 VirtualProtect 11350->11351 11352 30164aa 11351->11352 11353 3010848 11358 30108e2 11353->11358 11362 3010a6e 11353->11362 11366 3010aa9 11353->11366 11354 301085c 11359 3010913 11358->11359 11359->11354 11360 3011148 VirtualProtect 11359->11360 11361 3011182 11360->11361 11361->11354 11365 3010a81 11362->11365 11363 3011148 VirtualProtect 11364 3011182 11363->11364 11364->11354 11365->11363 11369 3010ab1 11366->11369 11367 3011148 VirtualProtect 11368 3011182 11367->11368 11368->11354 11369->11367 11370 6cf40ec8 11371 6cf40ed1 11370->11371 11372 6cf40f03 11370->11372 11376 6cf3f832 11371->11376 11377 6cf3f843 11376->11377 11378 6cf3f83d 11376->11378 11382 6cf3f849 11377->11382 11432 6cf417e6 11377->11432 11427 6cf417a7 11378->11427 11388 6cf3f84e 11382->11388 11455 6cf3f159 11382->11455 11383 6cf3f861 11437 6cf3fe67 11383->11437 11404 6cf40cd3 11388->11404 11389 6cf3f875 11391 6cf417e6 __dosmaperr 6 API calls 11389->11391 11390 6cf3f88a 11392 6cf417e6 __dosmaperr 6 API calls 11390->11392 11393 6cf3f881 11391->11393 11394 6cf3f896 11392->11394 11444 6cf3fec4 11393->11444 11395 6cf3f89a 11394->11395 11396 6cf3f8a9 11394->11396 11398 6cf417e6 __dosmaperr 6 API calls 11395->11398 11450 6cf3f579 11396->11450 11398->11393 11402 6cf3fec4 ___free_lconv_mon 14 API calls 11403 6cf3f8bb 11402->11403 11403->11388 11870 6cf40e28 11404->11870 11411 6cf40d3d 11895 6cf40f23 11411->11895 11412 6cf40d2f 11413 6cf3fec4 ___free_lconv_mon 14 API calls 11412->11413 11415 6cf40d16 11413->11415 11415->11372 11417 6cf40d75 11418 6cf3fe54 __dosmaperr 14 API calls 11417->11418 11419 6cf40d7a 11418->11419 11423 6cf3fec4 ___free_lconv_mon 14 API calls 11419->11423 11420 6cf40dbc 11422 6cf40e05 11420->11422 11906 6cf4094c 11420->11906 11421 6cf40d90 11421->11420 11424 6cf3fec4 ___free_lconv_mon 14 API calls 11421->11424 11426 6cf3fec4 ___free_lconv_mon 14 API calls 11422->11426 11423->11415 11424->11420 11426->11415 11466 6cf41645 11427->11466 11429 6cf417c3 11430 6cf417cc 11429->11430 11431 6cf417de TlsGetValue 11429->11431 11430->11377 11433 6cf41645 __dosmaperr 5 API calls 11432->11433 11434 6cf41802 11433->11434 11435 6cf41820 TlsSetValue 11434->11435 11436 6cf3f85d 11434->11436 11436->11382 11436->11383 11443 6cf3fe74 __dosmaperr 11437->11443 11438 6cf3feb4 11483 6cf3fe54 11438->11483 11439 6cf3fe9f HeapAlloc 11441 6cf3f86d 11439->11441 11439->11443 11441->11389 11441->11390 11443->11438 11443->11439 11480 6cf41c00 11443->11480 11445 6cf3fecf HeapFree 11444->11445 11446 6cf3f887 11444->11446 11445->11446 11447 6cf3fee4 GetLastError 11445->11447 11446->11382 11448 6cf3fef1 __dosmaperr 11447->11448 11449 6cf3fe54 __dosmaperr 12 API calls 11448->11449 11449->11446 11520 6cf3f40d 11450->11520 11662 6cf41d55 11455->11662 11458 6cf3f169 11460 6cf3f173 IsProcessorFeaturePresent 11458->11460 11465 6cf3f192 11458->11465 11461 6cf3f17f 11460->11461 11692 6cf3fb77 11461->11692 11698 6cf3e85e 11465->11698 11467 6cf41675 11466->11467 11471 6cf41671 __dosmaperr 11466->11471 11467->11471 11472 6cf4157a 11467->11472 11470 6cf4168f GetProcAddress 11470->11471 11471->11429 11478 6cf4158b ___vcrt_InitializeCriticalSectionEx 11472->11478 11473 6cf41621 11473->11470 11473->11471 11474 6cf415a9 LoadLibraryExW 11475 6cf415c4 GetLastError 11474->11475 11476 6cf41628 11474->11476 11475->11478 11476->11473 11477 6cf4163a FreeLibrary 11476->11477 11477->11473 11478->11473 11478->11474 11479 6cf415f7 LoadLibraryExW 11478->11479 11479->11476 11479->11478 11486 6cf41c2c 11480->11486 11497 6cf3f8c8 GetLastError 11483->11497 11485 6cf3fe59 11485->11441 11487 6cf41c38 ___scrt_is_nonwritable_in_current_image 11486->11487 11492 6cf3faa3 EnterCriticalSection 11487->11492 11489 6cf41c43 __FrameHandler3::FrameUnwindToState 11493 6cf41c7a 11489->11493 11492->11489 11496 6cf3faeb LeaveCriticalSection 11493->11496 11495 6cf41c0b 11495->11443 11496->11495 11498 6cf3f8e4 11497->11498 11499 6cf3f8de 11497->11499 11501 6cf417e6 __dosmaperr 6 API calls 11498->11501 11503 6cf3f8e8 SetLastError 11498->11503 11500 6cf417a7 __dosmaperr 6 API calls 11499->11500 11500->11498 11502 6cf3f900 11501->11502 11502->11503 11505 6cf3fe67 __dosmaperr 12 API calls 11502->11505 11503->11485 11506 6cf3f915 11505->11506 11507 6cf3f92e 11506->11507 11508 6cf3f91d 11506->11508 11510 6cf417e6 __dosmaperr 6 API calls 11507->11510 11509 6cf417e6 __dosmaperr 6 API calls 11508->11509 11518 6cf3f92b 11509->11518 11511 6cf3f93a 11510->11511 11512 6cf3f955 11511->11512 11513 6cf3f93e 11511->11513 11514 6cf3f579 __dosmaperr 12 API calls 11512->11514 11515 6cf417e6 __dosmaperr 6 API calls 11513->11515 11517 6cf3f960 11514->11517 11515->11518 11516 6cf3fec4 ___free_lconv_mon 12 API calls 11516->11503 11519 6cf3fec4 ___free_lconv_mon 12 API calls 11517->11519 11518->11516 11519->11503 11521 6cf3f419 ___scrt_is_nonwritable_in_current_image 11520->11521 11534 6cf3faa3 EnterCriticalSection 11521->11534 11523 6cf3f423 11535 6cf3f453 11523->11535 11526 6cf3f51f 11527 6cf3f52b ___scrt_is_nonwritable_in_current_image 11526->11527 11539 6cf3faa3 EnterCriticalSection 11527->11539 11529 6cf3f535 11540 6cf3f700 11529->11540 11531 6cf3f54d 11544 6cf3f56d 11531->11544 11534->11523 11538 6cf3faeb LeaveCriticalSection 11535->11538 11537 6cf3f441 11537->11526 11538->11537 11539->11529 11541 6cf3f736 __dosmaperr 11540->11541 11542 6cf3f70f __dosmaperr 11540->11542 11541->11531 11542->11541 11547 6cf4275b 11542->11547 11661 6cf3faeb LeaveCriticalSection 11544->11661 11546 6cf3f55b 11546->11402 11549 6cf427db 11547->11549 11550 6cf42771 11547->11550 11551 6cf3fec4 ___free_lconv_mon 14 API calls 11549->11551 11574 6cf42829 11549->11574 11550->11549 11554 6cf427a4 11550->11554 11557 6cf3fec4 ___free_lconv_mon 14 API calls 11550->11557 11552 6cf427fd 11551->11552 11553 6cf3fec4 ___free_lconv_mon 14 API calls 11552->11553 11555 6cf42810 11553->11555 11559 6cf3fec4 ___free_lconv_mon 14 API calls 11554->11559 11573 6cf427c6 11554->11573 11560 6cf3fec4 ___free_lconv_mon 14 API calls 11555->11560 11556 6cf3fec4 ___free_lconv_mon 14 API calls 11561 6cf427d0 11556->11561 11563 6cf42799 11557->11563 11558 6cf42837 11562 6cf42897 11558->11562 11569 6cf3fec4 14 API calls ___free_lconv_mon 11558->11569 11564 6cf427bb 11559->11564 11565 6cf4281e 11560->11565 11566 6cf3fec4 ___free_lconv_mon 14 API calls 11561->11566 11567 6cf3fec4 ___free_lconv_mon 14 API calls 11562->11567 11575 6cf446d6 11563->11575 11603 6cf447d4 11564->11603 11571 6cf3fec4 ___free_lconv_mon 14 API calls 11565->11571 11566->11549 11572 6cf4289d 11567->11572 11569->11558 11571->11574 11572->11541 11573->11556 11615 6cf428cc 11574->11615 11576 6cf446e7 11575->11576 11602 6cf447d0 11575->11602 11577 6cf446f8 11576->11577 11579 6cf3fec4 ___free_lconv_mon 14 API calls 11576->11579 11578 6cf4470a 11577->11578 11580 6cf3fec4 ___free_lconv_mon 14 API calls 11577->11580 11581 6cf4471c 11578->11581 11582 6cf3fec4 ___free_lconv_mon 14 API calls 11578->11582 11579->11577 11580->11578 11583 6cf4472e 11581->11583 11584 6cf3fec4 ___free_lconv_mon 14 API calls 11581->11584 11582->11581 11585 6cf44740 11583->11585 11587 6cf3fec4 ___free_lconv_mon 14 API calls 11583->11587 11584->11583 11586 6cf44752 11585->11586 11588 6cf3fec4 ___free_lconv_mon 14 API calls 11585->11588 11589 6cf44764 11586->11589 11590 6cf3fec4 ___free_lconv_mon 14 API calls 11586->11590 11587->11585 11588->11586 11591 6cf3fec4 ___free_lconv_mon 14 API calls 11589->11591 11592 6cf44776 11589->11592 11590->11589 11591->11592 11593 6cf44788 11592->11593 11595 6cf3fec4 ___free_lconv_mon 14 API calls 11592->11595 11594 6cf4479a 11593->11594 11596 6cf3fec4 ___free_lconv_mon 14 API calls 11593->11596 11597 6cf447ac 11594->11597 11598 6cf3fec4 ___free_lconv_mon 14 API calls 11594->11598 11595->11593 11596->11594 11599 6cf447be 11597->11599 11600 6cf3fec4 ___free_lconv_mon 14 API calls 11597->11600 11598->11597 11601 6cf3fec4 ___free_lconv_mon 14 API calls 11599->11601 11599->11602 11600->11599 11601->11602 11602->11554 11604 6cf447e1 11603->11604 11614 6cf44839 11603->11614 11605 6cf447f1 11604->11605 11607 6cf3fec4 ___free_lconv_mon 14 API calls 11604->11607 11606 6cf44803 11605->11606 11608 6cf3fec4 ___free_lconv_mon 14 API calls 11605->11608 11609 6cf44815 11606->11609 11610 6cf3fec4 ___free_lconv_mon 14 API calls 11606->11610 11607->11605 11608->11606 11611 6cf3fec4 ___free_lconv_mon 14 API calls 11609->11611 11612 6cf44827 11609->11612 11610->11609 11611->11612 11613 6cf3fec4 ___free_lconv_mon 14 API calls 11612->11613 11612->11614 11613->11614 11614->11573 11616 6cf428d9 11615->11616 11620 6cf428f8 11615->11620 11616->11620 11621 6cf44862 11616->11621 11619 6cf3fec4 ___free_lconv_mon 14 API calls 11619->11620 11620->11558 11622 6cf44873 11621->11622 11656 6cf428f2 11621->11656 11657 6cf4483d 11622->11657 11625 6cf4483d __dosmaperr 14 API calls 11626 6cf44886 11625->11626 11627 6cf4483d __dosmaperr 14 API calls 11626->11627 11628 6cf44891 11627->11628 11629 6cf4483d __dosmaperr 14 API calls 11628->11629 11630 6cf4489c 11629->11630 11631 6cf4483d __dosmaperr 14 API calls 11630->11631 11632 6cf448aa 11631->11632 11633 6cf3fec4 ___free_lconv_mon 14 API calls 11632->11633 11634 6cf448b5 11633->11634 11635 6cf3fec4 ___free_lconv_mon 14 API calls 11634->11635 11636 6cf448c0 11635->11636 11637 6cf3fec4 ___free_lconv_mon 14 API calls 11636->11637 11638 6cf448cb 11637->11638 11639 6cf4483d __dosmaperr 14 API calls 11638->11639 11640 6cf448d9 11639->11640 11641 6cf4483d __dosmaperr 14 API calls 11640->11641 11642 6cf448e7 11641->11642 11643 6cf4483d __dosmaperr 14 API calls 11642->11643 11644 6cf448f8 11643->11644 11645 6cf4483d __dosmaperr 14 API calls 11644->11645 11646 6cf44906 11645->11646 11647 6cf4483d __dosmaperr 14 API calls 11646->11647 11648 6cf44914 11647->11648 11649 6cf3fec4 ___free_lconv_mon 14 API calls 11648->11649 11650 6cf4491f 11649->11650 11651 6cf3fec4 ___free_lconv_mon 14 API calls 11650->11651 11652 6cf4492a 11651->11652 11653 6cf3fec4 ___free_lconv_mon 14 API calls 11652->11653 11654 6cf44935 11653->11654 11655 6cf3fec4 ___free_lconv_mon 14 API calls 11654->11655 11655->11656 11656->11619 11658 6cf4484f 11657->11658 11659 6cf4485e 11658->11659 11660 6cf3fec4 ___free_lconv_mon 14 API calls 11658->11660 11659->11625 11660->11658 11661->11546 11701 6cf41c83 11662->11701 11665 6cf41d9a 11666 6cf41da6 ___scrt_is_nonwritable_in_current_image 11665->11666 11667 6cf3f8c8 __dosmaperr 14 API calls 11666->11667 11668 6cf41e08 __FrameHandler3::FrameUnwindToState 11666->11668 11669 6cf41df6 11666->11669 11670 6cf41dd7 __FrameHandler3::FrameUnwindToState 11666->11670 11667->11670 11675 6cf41e3e __FrameHandler3::FrameUnwindToState 11668->11675 11715 6cf3faa3 EnterCriticalSection 11668->11715 11671 6cf3fe54 __dosmaperr 14 API calls 11669->11671 11670->11668 11670->11669 11681 6cf41de0 11670->11681 11672 6cf41dfb 11671->11672 11712 6cf3fd73 11672->11712 11677 6cf41f78 11675->11677 11678 6cf41e7b 11675->11678 11689 6cf41ea9 11675->11689 11680 6cf41f83 11677->11680 11747 6cf3faeb LeaveCriticalSection 11677->11747 11678->11689 11716 6cf3f777 GetLastError 11678->11716 11683 6cf3e85e __FrameHandler3::FrameUnwindToState 21 API calls 11680->11683 11681->11458 11685 6cf41f8b 11683->11685 11686 6cf3f777 _unexpected 39 API calls 11690 6cf41efe 11686->11690 11688 6cf3f777 _unexpected 39 API calls 11688->11689 11743 6cf41f24 11689->11743 11690->11681 11691 6cf3f777 _unexpected 39 API calls 11690->11691 11691->11681 11693 6cf3fb93 __FrameHandler3::FrameUnwindToState 11692->11693 11694 6cf3fbbf IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11693->11694 11696 6cf3fc90 __FrameHandler3::FrameUnwindToState 11694->11696 11695 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11697 6cf3fcae 11695->11697 11696->11695 11697->11465 11797 6cf3e69b 11698->11797 11702 6cf41c8f ___scrt_is_nonwritable_in_current_image 11701->11702 11707 6cf3faa3 EnterCriticalSection 11702->11707 11704 6cf41c9d 11708 6cf41cdf 11704->11708 11707->11704 11711 6cf3faeb LeaveCriticalSection 11708->11711 11710 6cf3f15e 11710->11458 11710->11665 11711->11710 11748 6cf3fcbf 11712->11748 11714 6cf3fd7f 11714->11681 11715->11675 11717 6cf3f793 11716->11717 11718 6cf3f78d 11716->11718 11720 6cf417e6 __dosmaperr 6 API calls 11717->11720 11741 6cf3f797 SetLastError 11717->11741 11719 6cf417a7 __dosmaperr 6 API calls 11718->11719 11719->11717 11721 6cf3f7af 11720->11721 11723 6cf3fe67 __dosmaperr 14 API calls 11721->11723 11721->11741 11726 6cf3f7c4 11723->11726 11724 6cf3f827 11724->11688 11725 6cf3f82c 11727 6cf3f159 __FrameHandler3::FrameUnwindToState 37 API calls 11725->11727 11728 6cf3f7dd 11726->11728 11729 6cf3f7cc 11726->11729 11731 6cf3f831 11727->11731 11730 6cf417e6 __dosmaperr 6 API calls 11728->11730 11732 6cf417e6 __dosmaperr 6 API calls 11729->11732 11734 6cf3f7e9 11730->11734 11733 6cf3f7da 11732->11733 11738 6cf3fec4 ___free_lconv_mon 14 API calls 11733->11738 11735 6cf3f804 11734->11735 11736 6cf3f7ed 11734->11736 11739 6cf3f579 __dosmaperr 14 API calls 11735->11739 11737 6cf417e6 __dosmaperr 6 API calls 11736->11737 11737->11733 11738->11741 11740 6cf3f80f 11739->11740 11742 6cf3fec4 ___free_lconv_mon 14 API calls 11740->11742 11741->11724 11741->11725 11742->11741 11744 6cf41ef0 11743->11744 11745 6cf41f28 11743->11745 11744->11681 11744->11686 11744->11690 11796 6cf3faeb LeaveCriticalSection 11745->11796 11747->11680 11749 6cf3fcd1 ___std_exception_copy 11748->11749 11752 6cf3fcf6 11749->11752 11751 6cf3fce9 ___std_exception_copy 11751->11714 11753 6cf3fd06 11752->11753 11755 6cf3fd0d 11752->11755 11763 6cf3f240 GetLastError 11753->11763 11759 6cf3fd1b 11755->11759 11767 6cf3fb4e 11755->11767 11757 6cf3fd42 11757->11759 11770 6cf3fd83 IsProcessorFeaturePresent 11757->11770 11759->11751 11760 6cf3fd72 11761 6cf3fcbf ___std_exception_copy 29 API calls 11760->11761 11762 6cf3fd7f 11761->11762 11762->11751 11764 6cf3f259 11763->11764 11774 6cf3f979 11764->11774 11768 6cf3fb72 11767->11768 11769 6cf3fb59 GetLastError SetLastError 11767->11769 11768->11757 11769->11757 11771 6cf3fd8f 11770->11771 11772 6cf3fb77 __FrameHandler3::FrameUnwindToState 8 API calls 11771->11772 11773 6cf3fda4 GetCurrentProcess TerminateProcess 11772->11773 11773->11760 11775 6cf3f992 11774->11775 11776 6cf3f98c 11774->11776 11778 6cf417e6 __dosmaperr 6 API calls 11775->11778 11795 6cf3f275 SetLastError 11775->11795 11777 6cf417a7 __dosmaperr 6 API calls 11776->11777 11777->11775 11779 6cf3f9ac 11778->11779 11780 6cf3fe67 __dosmaperr 14 API calls 11779->11780 11779->11795 11781 6cf3f9bc 11780->11781 11782 6cf3f9c4 11781->11782 11783 6cf3f9d9 11781->11783 11784 6cf417e6 __dosmaperr 6 API calls 11782->11784 11785 6cf417e6 __dosmaperr 6 API calls 11783->11785 11786 6cf3f9d0 11784->11786 11787 6cf3f9e5 11785->11787 11790 6cf3fec4 ___free_lconv_mon 14 API calls 11786->11790 11788 6cf3f9e9 11787->11788 11789 6cf3f9f8 11787->11789 11791 6cf417e6 __dosmaperr 6 API calls 11788->11791 11792 6cf3f579 __dosmaperr 14 API calls 11789->11792 11790->11795 11791->11786 11793 6cf3fa03 11792->11793 11794 6cf3fec4 ___free_lconv_mon 14 API calls 11793->11794 11794->11795 11795->11755 11796->11744 11798 6cf3e6c8 11797->11798 11806 6cf3e6d9 11797->11806 11808 6cf3e763 GetModuleHandleW 11798->11808 11803 6cf3e717 11815 6cf3e54b 11806->11815 11809 6cf3e6cd 11808->11809 11809->11806 11810 6cf3e7be GetModuleHandleExW 11809->11810 11811 6cf3e811 11810->11811 11812 6cf3e7fd GetProcAddress 11810->11812 11813 6cf3e824 FreeLibrary 11811->11813 11814 6cf3e82d 11811->11814 11812->11811 11813->11814 11814->11806 11816 6cf3e557 ___scrt_is_nonwritable_in_current_image 11815->11816 11830 6cf3faa3 EnterCriticalSection 11816->11830 11818 6cf3e561 11831 6cf3e5b3 11818->11831 11820 6cf3e56e 11835 6cf3e58c 11820->11835 11823 6cf3e732 11860 6cf3e7a5 11823->11860 11825 6cf3e73c 11826 6cf3e750 11825->11826 11827 6cf3e740 GetCurrentProcess TerminateProcess 11825->11827 11828 6cf3e7be __FrameHandler3::FrameUnwindToState 3 API calls 11826->11828 11827->11826 11829 6cf3e758 ExitProcess 11828->11829 11830->11818 11832 6cf3e5bf ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 11831->11832 11834 6cf3e623 __FrameHandler3::FrameUnwindToState 11832->11834 11838 6cf3eeb2 11832->11838 11834->11820 11859 6cf3faeb LeaveCriticalSection 11835->11859 11837 6cf3e57a 11837->11803 11837->11823 11839 6cf3eebe __EH_prolog3 11838->11839 11842 6cf3ed7d 11839->11842 11841 6cf3eee5 __DllMainCRTStartup@12 11841->11834 11843 6cf3ed89 ___scrt_is_nonwritable_in_current_image 11842->11843 11850 6cf3faa3 EnterCriticalSection 11843->11850 11845 6cf3ed97 11851 6cf3edd8 11845->11851 11850->11845 11852 6cf3eda4 11851->11852 11853 6cf3edf7 11851->11853 11855 6cf3edcc 11852->11855 11853->11852 11854 6cf3fec4 ___free_lconv_mon 14 API calls 11853->11854 11854->11852 11858 6cf3faeb LeaveCriticalSection 11855->11858 11857 6cf3edb5 11857->11841 11858->11857 11859->11837 11863 6cf3fb27 11860->11863 11862 6cf3e7aa __FrameHandler3::FrameUnwindToState 11862->11825 11864 6cf3fb36 __FrameHandler3::FrameUnwindToState 11863->11864 11865 6cf3fb43 11864->11865 11867 6cf416ca 11864->11867 11865->11862 11868 6cf41645 __dosmaperr 5 API calls 11867->11868 11869 6cf416e6 11868->11869 11869->11865 11871 6cf40e34 ___scrt_is_nonwritable_in_current_image 11870->11871 11873 6cf40e4e 11871->11873 11914 6cf3faa3 EnterCriticalSection 11871->11914 11875 6cf40cfd 11873->11875 11877 6cf3f159 __FrameHandler3::FrameUnwindToState 39 API calls 11873->11877 11874 6cf40e8a 11915 6cf40ea7 11874->11915 11881 6cf40a5a 11875->11881 11879 6cf40ec7 11877->11879 11878 6cf40e5e 11878->11874 11880 6cf3fec4 ___free_lconv_mon 14 API calls 11878->11880 11880->11874 11919 6cf4055e 11881->11919 11884 6cf40a8d 11886 6cf40aa4 11884->11886 11887 6cf40a92 GetACP 11884->11887 11885 6cf40a7b GetOEMCP 11885->11886 11886->11415 11888 6cf423da 11886->11888 11887->11886 11889 6cf42418 11888->11889 11893 6cf423e8 __dosmaperr 11888->11893 11890 6cf3fe54 __dosmaperr 14 API calls 11889->11890 11892 6cf40d27 11890->11892 11891 6cf42403 RtlAllocateHeap 11891->11892 11891->11893 11892->11411 11892->11412 11893->11889 11893->11891 11894 6cf41c00 __dosmaperr 2 API calls 11893->11894 11894->11893 11896 6cf40a5a 41 API calls 11895->11896 11898 6cf40f43 11896->11898 11897 6cf41048 11900 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11897->11900 11898->11897 11899 6cf40f80 IsValidCodePage 11898->11899 11905 6cf40f9b __FrameHandler3::FrameUnwindToState 11898->11905 11899->11897 11902 6cf40f92 11899->11902 11901 6cf40d6a 11900->11901 11901->11417 11901->11421 11903 6cf40fbb GetCPInfo 11902->11903 11902->11905 11903->11897 11903->11905 11962 6cf40b2e 11905->11962 11907 6cf40958 ___scrt_is_nonwritable_in_current_image 11906->11907 12048 6cf3faa3 EnterCriticalSection 11907->12048 11909 6cf40962 12049 6cf40999 11909->12049 11914->11878 11918 6cf3faeb LeaveCriticalSection 11915->11918 11917 6cf40eae 11917->11873 11918->11917 11920 6cf4057c 11919->11920 11926 6cf40575 11919->11926 11921 6cf3f777 _unexpected 39 API calls 11920->11921 11920->11926 11922 6cf4059d 11921->11922 11927 6cf42428 11922->11927 11926->11884 11926->11885 11928 6cf405b3 11927->11928 11929 6cf4243b 11927->11929 11931 6cf42486 11928->11931 11929->11928 11935 6cf429a7 11929->11935 11932 6cf424ae 11931->11932 11933 6cf42499 11931->11933 11932->11926 11933->11932 11957 6cf40f10 11933->11957 11936 6cf429b3 ___scrt_is_nonwritable_in_current_image 11935->11936 11937 6cf3f777 _unexpected 39 API calls 11936->11937 11938 6cf429bc 11937->11938 11940 6cf42a02 11938->11940 11948 6cf3faa3 EnterCriticalSection 11938->11948 11940->11928 11941 6cf429da 11949 6cf42a28 11941->11949 11946 6cf3f159 __FrameHandler3::FrameUnwindToState 39 API calls 11947 6cf42a27 11946->11947 11948->11941 11950 6cf42a36 __dosmaperr 11949->11950 11952 6cf429eb 11949->11952 11951 6cf4275b __dosmaperr 14 API calls 11950->11951 11950->11952 11951->11952 11953 6cf42a07 11952->11953 11956 6cf3faeb LeaveCriticalSection 11953->11956 11955 6cf429fe 11955->11940 11955->11946 11956->11955 11958 6cf3f777 _unexpected 39 API calls 11957->11958 11959 6cf40f15 11958->11959 11960 6cf40e28 ___scrt_uninitialize_crt 39 API calls 11959->11960 11961 6cf40f20 11960->11961 11961->11932 11963 6cf40b56 GetCPInfo 11962->11963 11964 6cf40c1f 11962->11964 11963->11964 11965 6cf40b6e 11963->11965 11966 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11964->11966 11973 6cf43114 11965->11973 11968 6cf40cd1 11966->11968 11968->11897 11972 6cf43424 43 API calls 11972->11964 11974 6cf4055e 39 API calls 11973->11974 11975 6cf43134 11974->11975 11993 6cf412c2 11975->11993 11977 6cf431f0 11979 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 11977->11979 11978 6cf431e8 11996 6cf43215 11978->11996 11982 6cf40bd6 11979->11982 11980 6cf43161 11980->11977 11980->11978 11981 6cf423da 15 API calls 11980->11981 11984 6cf43186 __FrameHandler3::FrameUnwindToState __alloca_probe_16 11980->11984 11981->11984 11988 6cf43424 11982->11988 11984->11978 11985 6cf412c2 ___scrt_uninitialize_crt MultiByteToWideChar 11984->11985 11986 6cf431cf 11985->11986 11986->11978 11987 6cf431d6 GetStringTypeW 11986->11987 11987->11978 11989 6cf4055e 39 API calls 11988->11989 11990 6cf43437 11989->11990 12002 6cf43235 11990->12002 12000 6cf4122a 11993->12000 11997 6cf43221 11996->11997 11998 6cf43232 11996->11998 11997->11998 11999 6cf3fec4 ___free_lconv_mon 14 API calls 11997->11999 11998->11977 11999->11998 12001 6cf4123b MultiByteToWideChar 12000->12001 12001->11980 12003 6cf43250 12002->12003 12004 6cf412c2 ___scrt_uninitialize_crt MultiByteToWideChar 12003->12004 12008 6cf43294 12004->12008 12005 6cf4340f 12006 6cf3b390 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 12005->12006 12007 6cf40bf7 12006->12007 12007->11972 12008->12005 12009 6cf423da 15 API calls 12008->12009 12011 6cf432ba __alloca_probe_16 12008->12011 12022 6cf43362 12008->12022 12009->12011 12010 6cf43215 __freea 14 API calls 12010->12005 12012 6cf412c2 ___scrt_uninitialize_crt MultiByteToWideChar 12011->12012 12011->12022 12013 6cf43303 12012->12013 12013->12022 12030 6cf41873 12013->12030 12016 6cf43371 12018 6cf433fa 12016->12018 12020 6cf423da 15 API calls 12016->12020 12023 6cf43383 __alloca_probe_16 12016->12023 12017 6cf43339 12019 6cf41873 6 API calls 12017->12019 12017->12022 12021 6cf43215 __freea 14 API calls 12018->12021 12019->12022 12020->12023 12021->12022 12022->12010 12023->12018 12024 6cf41873 6 API calls 12023->12024 12025 6cf433c6 12024->12025 12025->12018 12036 6cf4137c 12025->12036 12027 6cf433e0 12027->12018 12028 6cf433e9 12027->12028 12029 6cf43215 __freea 14 API calls 12028->12029 12029->12022 12039 6cf41546 12030->12039 12034 6cf41884 12034->12016 12034->12017 12034->12022 12035 6cf418c4 LCMapStringW 12035->12034 12037 6cf4138f ___scrt_uninitialize_crt 12036->12037 12038 6cf413cd WideCharToMultiByte 12037->12038 12038->12027 12040 6cf41645 __dosmaperr 5 API calls 12039->12040 12041 6cf4155c 12040->12041 12041->12034 12042 6cf418d0 12041->12042 12045 6cf41560 12042->12045 12044 6cf418db 12044->12035 12046 6cf41645 __dosmaperr 5 API calls 12045->12046 12047 6cf41576 12046->12047 12047->12044 12048->11909 12059 6cf41128 12049->12059 12051 6cf409bb 12052 6cf41128 29 API calls 12051->12052 12053 6cf409da 12052->12053 12054 6cf4096f 12053->12054 12055 6cf3fec4 ___free_lconv_mon 14 API calls 12053->12055 12056 6cf4098d 12054->12056 12055->12054 12073 6cf3faeb LeaveCriticalSection 12056->12073 12058 6cf4097b 12058->11422 12060 6cf41139 12059->12060 12064 6cf41135 __InternalCxxFrameHandler 12059->12064 12061 6cf41140 12060->12061 12066 6cf41153 __FrameHandler3::FrameUnwindToState 12060->12066 12062 6cf3fe54 __dosmaperr 14 API calls 12061->12062 12063 6cf41145 12062->12063 12065 6cf3fd73 ___std_exception_copy 29 API calls 12063->12065 12064->12051 12065->12064 12066->12064 12067 6cf41181 12066->12067 12068 6cf4118a 12066->12068 12069 6cf3fe54 __dosmaperr 14 API calls 12067->12069 12068->12064 12071 6cf3fe54 __dosmaperr 14 API calls 12068->12071 12070 6cf41186 12069->12070 12072 6cf3fd73 ___std_exception_copy 29 API calls 12070->12072 12071->12070 12072->12064 12073->12058 12074 6cf3b6de 12075 6cf3b6e7 12074->12075 12076 6cf3b6ec 12074->12076 12091 6cf3b870 12075->12091 12080 6cf3b5a8 12076->12080 12081 6cf3b5b4 ___scrt_is_nonwritable_in_current_image 12080->12081 12082 6cf3b5dd dllmain_raw 12081->12082 12086 6cf3b5d8 __DllMainCRTStartup@12 12081->12086 12088 6cf3b5c3 12081->12088 12083 6cf3b5f7 dllmain_crt_dispatch 12082->12083 12082->12088 12083->12086 12083->12088 12084 6cf3b649 12085 6cf3b652 dllmain_crt_dispatch 12084->12085 12084->12088 12087 6cf3b665 dllmain_raw 12085->12087 12085->12088 12086->12084 12095 6cf3b4f8 12086->12095 12087->12088 12090 6cf3b63e dllmain_raw 12090->12084 12092 6cf3b886 12091->12092 12094 6cf3b88f 12092->12094 12270 6cf3b823 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12092->12270 12094->12076 12096 6cf3b504 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12095->12096 12097 6cf3b50d 12096->12097 12098 6cf3b5a0 12096->12098 12099 6cf3b535 12096->12099 12097->12090 12139 6cf3bbda IsProcessorFeaturePresent 12098->12139 12118 6cf3ba0b 12099->12118 12102 6cf3b53a 12127 6cf3b8c7 12102->12127 12104 6cf3b5a7 ___scrt_is_nonwritable_in_current_image 12105 6cf3b5dd dllmain_raw 12104->12105 12113 6cf3b5d8 __DllMainCRTStartup@12 12104->12113 12115 6cf3b5c3 12104->12115 12107 6cf3b5f7 dllmain_crt_dispatch 12105->12107 12105->12115 12106 6cf3b53f __RTC_Initialize __DllMainCRTStartup@12 12130 6cf3bbac 12106->12130 12107->12113 12107->12115 12111 6cf3b649 12112 6cf3b652 dllmain_crt_dispatch 12111->12112 12111->12115 12114 6cf3b665 dllmain_raw 12112->12114 12112->12115 12113->12111 12116 6cf3b4f8 __DllMainCRTStartup@12 81 API calls 12113->12116 12114->12115 12115->12090 12117 6cf3b63e dllmain_raw 12116->12117 12117->12111 12119 6cf3ba10 ___scrt_release_startup_lock 12118->12119 12120 6cf3ba14 12119->12120 12123 6cf3ba20 __DllMainCRTStartup@12 12119->12123 12121 6cf3eeb2 __DllMainCRTStartup@12 14 API calls 12120->12121 12122 6cf3ba1e 12121->12122 12122->12102 12124 6cf3ba2d 12123->12124 12125 6cf3e69b __FrameHandler3::FrameUnwindToState 21 API calls 12123->12125 12124->12102 12126 6cf3e85a 12125->12126 12126->12102 12143 6cf3c84a InterlockedFlushSList 12127->12143 12131 6cf3bbb8 12130->12131 12132 6cf3b55e 12131->12132 12150 6cf3f05b 12131->12150 12136 6cf3b59a 12132->12136 12134 6cf3bbc6 12155 6cf3c89f 12134->12155 12253 6cf3ba2e 12136->12253 12140 6cf3bbf0 __FrameHandler3::FrameUnwindToState 12139->12140 12141 6cf3bc9b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12140->12141 12142 6cf3bcdf __FrameHandler3::FrameUnwindToState 12141->12142 12142->12104 12144 6cf3b8d1 12143->12144 12145 6cf3c85a 12143->12145 12144->12106 12145->12144 12147 6cf3f0d9 12145->12147 12148 6cf3fec4 ___free_lconv_mon 14 API calls 12147->12148 12149 6cf3f0f1 12148->12149 12149->12145 12151 6cf3f066 12150->12151 12152 6cf3f078 ___scrt_uninitialize_crt 12150->12152 12153 6cf3f074 12151->12153 12161 6cf42295 12151->12161 12152->12134 12153->12134 12156 6cf3c8b2 12155->12156 12157 6cf3c8a8 12155->12157 12156->12132 12228 6cf3cd21 12157->12228 12164 6cf42126 12161->12164 12167 6cf4207a 12164->12167 12168 6cf42086 ___scrt_is_nonwritable_in_current_image 12167->12168 12175 6cf3faa3 EnterCriticalSection 12168->12175 12170 6cf420fc 12184 6cf4211a 12170->12184 12174 6cf42090 ___scrt_uninitialize_crt 12174->12170 12176 6cf41fee 12174->12176 12175->12174 12177 6cf41ffa ___scrt_is_nonwritable_in_current_image 12176->12177 12187 6cf423b2 EnterCriticalSection 12177->12187 12179 6cf4203d 12199 6cf4206e 12179->12199 12180 6cf42004 ___scrt_uninitialize_crt 12180->12179 12188 6cf42230 12180->12188 12227 6cf3faeb LeaveCriticalSection 12184->12227 12186 6cf42108 12186->12153 12187->12180 12189 6cf42245 ___std_exception_copy 12188->12189 12190 6cf42257 12189->12190 12191 6cf4224c 12189->12191 12202 6cf421c7 12190->12202 12192 6cf42126 ___scrt_uninitialize_crt 68 API calls 12191->12192 12195 6cf42252 ___std_exception_copy 12192->12195 12195->12179 12197 6cf42278 12215 6cf438c5 12197->12215 12226 6cf423c6 LeaveCriticalSection 12199->12226 12201 6cf4205c 12201->12174 12203 6cf421e0 12202->12203 12204 6cf42207 12202->12204 12203->12204 12205 6cf42617 ___scrt_uninitialize_crt 29 API calls 12203->12205 12204->12195 12208 6cf42617 12204->12208 12206 6cf421fc 12205->12206 12207 6cf440e4 ___scrt_uninitialize_crt 64 API calls 12206->12207 12207->12204 12209 6cf42623 12208->12209 12210 6cf42638 12208->12210 12211 6cf3fe54 __dosmaperr 14 API calls 12209->12211 12210->12197 12212 6cf42628 12211->12212 12213 6cf3fd73 ___std_exception_copy 29 API calls 12212->12213 12214 6cf42633 12213->12214 12214->12197 12216 6cf438d6 12215->12216 12217 6cf438e3 12215->12217 12218 6cf3fe54 __dosmaperr 14 API calls 12216->12218 12219 6cf4392c 12217->12219 12221 6cf4390a 12217->12221 12223 6cf438db 12218->12223 12220 6cf3fe54 __dosmaperr 14 API calls 12219->12220 12222 6cf43931 12220->12222 12224 6cf43823 ___scrt_uninitialize_crt 33 API calls 12221->12224 12225 6cf3fd73 ___std_exception_copy 29 API calls 12222->12225 12223->12195 12224->12223 12225->12223 12226->12201 12227->12186 12229 6cf3cd2b 12228->12229 12230 6cf3c8ad 12228->12230 12236 6cf3d2b8 12229->12236 12232 6cf3cd78 12230->12232 12233 6cf3cda2 12232->12233 12234 6cf3cd83 12232->12234 12233->12156 12235 6cf3cd8d DeleteCriticalSection 12234->12235 12235->12233 12235->12235 12241 6cf3d192 12236->12241 12239 6cf3d2ea TlsFree 12240 6cf3d2de 12239->12240 12240->12230 12242 6cf3d1af 12241->12242 12245 6cf3d1b3 12241->12245 12242->12239 12242->12240 12243 6cf3d21b GetProcAddress 12243->12242 12245->12242 12245->12243 12246 6cf3d20c 12245->12246 12248 6cf3d232 LoadLibraryExW 12245->12248 12246->12243 12247 6cf3d214 FreeLibrary 12246->12247 12247->12243 12249 6cf3d279 12248->12249 12250 6cf3d249 GetLastError 12248->12250 12249->12245 12250->12249 12251 6cf3d254 ___vcrt_InitializeCriticalSectionEx 12250->12251 12251->12249 12252 6cf3d26a LoadLibraryExW 12251->12252 12252->12245 12258 6cf3f08b 12253->12258 12256 6cf3cd21 ___vcrt_uninitialize_ptd 6 API calls 12257 6cf3b59f 12256->12257 12257->12097 12261 6cf3fa48 12258->12261 12262 6cf3fa52 12261->12262 12263 6cf3ba35 12261->12263 12265 6cf41768 12262->12265 12263->12256 12266 6cf41645 __dosmaperr 5 API calls 12265->12266 12267 6cf41784 12266->12267 12268 6cf4179f TlsFree 12267->12268 12269 6cf4178d 12267->12269 12269->12263 12270->12094 12271 6cf3b39e 12272 6cf3b3a9 12271->12272 12273 6cf3b3dc 12271->12273 12274 6cf3b3ce 12272->12274 12275 6cf3b3ae 12272->12275 12276 6cf3b4f8 __DllMainCRTStartup@12 86 API calls 12273->12276 12283 6cf3b3f1 12274->12283 12277 6cf3b3c4 12275->12277 12279 6cf3b3b3 12275->12279 12282 6cf3b3b8 12276->12282 12302 6cf3b9ab 12277->12302 12279->12282 12297 6cf3b9ca 12279->12297 12284 6cf3b3fd ___scrt_is_nonwritable_in_current_image 12283->12284 12310 6cf3ba3b 12284->12310 12286 6cf3b404 __DllMainCRTStartup@12 12287 6cf3b4f0 12286->12287 12288 6cf3b42b 12286->12288 12292 6cf3b467 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 12286->12292 12289 6cf3bbda __DllMainCRTStartup@12 4 API calls 12287->12289 12321 6cf3b99d 12288->12321 12291 6cf3b4f7 12289->12291 12292->12282 12293 6cf3b43a __RTC_Initialize 12293->12292 12324 6cf3b8bb InitializeSListHead 12293->12324 12295 6cf3b448 12295->12292 12325 6cf3b972 12295->12325 12386 6cf3f053 12297->12386 12475 6cf3c88c 12302->12475 12305 6cf3b9b4 12305->12282 12308 6cf3b9c7 12308->12282 12309 6cf3c897 21 API calls 12309->12305 12311 6cf3ba44 12310->12311 12329 6cf3bd98 IsProcessorFeaturePresent 12311->12329 12315 6cf3ba55 12320 6cf3ba59 12315->12320 12339 6cf3f036 12315->12339 12317 6cf3ba70 12317->12286 12319 6cf3c89f ___scrt_uninitialize_crt 7 API calls 12319->12320 12320->12286 12380 6cf3ba74 12321->12380 12323 6cf3b9a4 12323->12293 12324->12295 12326 6cf3b977 ___scrt_release_startup_lock 12325->12326 12327 6cf3bd98 IsProcessorFeaturePresent 12326->12327 12328 6cf3b980 12326->12328 12327->12328 12328->12292 12330 6cf3ba50 12329->12330 12331 6cf3c86d 12330->12331 12342 6cf3cd3c 12331->12342 12335 6cf3c87e 12336 6cf3c889 12335->12336 12337 6cf3cd78 ___vcrt_uninitialize_locks DeleteCriticalSection 12335->12337 12336->12315 12338 6cf3c876 12337->12338 12338->12315 12371 6cf41b58 12339->12371 12343 6cf3cd45 12342->12343 12345 6cf3cd6e 12343->12345 12347 6cf3c872 12343->12347 12356 6cf3d36c 12343->12356 12346 6cf3cd78 ___vcrt_uninitialize_locks DeleteCriticalSection 12345->12346 12346->12347 12347->12338 12348 6cf3ccee 12347->12348 12361 6cf3d27d 12348->12361 12353 6cf3cd1e 12353->12335 12354 6cf3cd21 ___vcrt_uninitialize_ptd 6 API calls 12355 6cf3cd03 12354->12355 12355->12335 12357 6cf3d192 ___vcrt_InitializeCriticalSectionEx 5 API calls 12356->12357 12358 6cf3d386 12357->12358 12359 6cf3d3a4 InitializeCriticalSectionAndSpinCount 12358->12359 12360 6cf3d38f 12358->12360 12359->12360 12360->12343 12362 6cf3d192 ___vcrt_InitializeCriticalSectionEx 5 API calls 12361->12362 12363 6cf3d297 12362->12363 12364 6cf3d2b0 TlsAlloc 12363->12364 12365 6cf3ccf8 12363->12365 12365->12355 12366 6cf3d32e 12365->12366 12367 6cf3d192 ___vcrt_InitializeCriticalSectionEx 5 API calls 12366->12367 12368 6cf3d348 12367->12368 12369 6cf3d363 TlsSetValue 12368->12369 12370 6cf3cd11 12368->12370 12369->12370 12370->12353 12370->12354 12372 6cf41b68 12371->12372 12373 6cf3ba62 12371->12373 12372->12373 12375 6cf41a1c 12372->12375 12373->12317 12373->12319 12376 6cf41a23 12375->12376 12377 6cf41a66 GetStdHandle 12376->12377 12378 6cf41ac8 12376->12378 12379 6cf41a79 GetFileType 12376->12379 12377->12376 12378->12372 12379->12376 12381 6cf3ba80 12380->12381 12382 6cf3ba84 12380->12382 12381->12323 12383 6cf3bbda __DllMainCRTStartup@12 4 API calls 12382->12383 12385 6cf3ba91 ___scrt_release_startup_lock 12382->12385 12384 6cf3bafa 12383->12384 12385->12323 12392 6cf3f74b 12386->12392 12389 6cf3c897 12458 6cf3cc23 12389->12458 12393 6cf3b9cf 12392->12393 12394 6cf3f755 12392->12394 12393->12389 12395 6cf417a7 __dosmaperr 6 API calls 12394->12395 12396 6cf3f75c 12395->12396 12396->12393 12397 6cf417e6 __dosmaperr 6 API calls 12396->12397 12398 6cf3f76f 12397->12398 12400 6cf3f612 12398->12400 12401 6cf3f62d 12400->12401 12402 6cf3f61d 12400->12402 12401->12393 12406 6cf3f633 12402->12406 12405 6cf3fec4 ___free_lconv_mon 14 API calls 12405->12401 12407 6cf3f64e 12406->12407 12408 6cf3f648 12406->12408 12410 6cf3fec4 ___free_lconv_mon 14 API calls 12407->12410 12409 6cf3fec4 ___free_lconv_mon 14 API calls 12408->12409 12409->12407 12411 6cf3f65a 12410->12411 12412 6cf3fec4 ___free_lconv_mon 14 API calls 12411->12412 12413 6cf3f665 12412->12413 12414 6cf3fec4 ___free_lconv_mon 14 API calls 12413->12414 12415 6cf3f670 12414->12415 12416 6cf3fec4 ___free_lconv_mon 14 API calls 12415->12416 12417 6cf3f67b 12416->12417 12418 6cf3fec4 ___free_lconv_mon 14 API calls 12417->12418 12419 6cf3f686 12418->12419 12420 6cf3fec4 ___free_lconv_mon 14 API calls 12419->12420 12421 6cf3f691 12420->12421 12422 6cf3fec4 ___free_lconv_mon 14 API calls 12421->12422 12423 6cf3f69c 12422->12423 12424 6cf3fec4 ___free_lconv_mon 14 API calls 12423->12424 12425 6cf3f6a7 12424->12425 12426 6cf3fec4 ___free_lconv_mon 14 API calls 12425->12426 12427 6cf3f6b5 12426->12427 12432 6cf3f45f 12427->12432 12433 6cf3f46b ___scrt_is_nonwritable_in_current_image 12432->12433 12448 6cf3faa3 EnterCriticalSection 12433->12448 12436 6cf3f475 12438 6cf3fec4 ___free_lconv_mon 14 API calls 12436->12438 12439 6cf3f49f 12436->12439 12438->12439 12449 6cf3f4be 12439->12449 12440 6cf3f4ca 12441 6cf3f4d6 ___scrt_is_nonwritable_in_current_image 12440->12441 12453 6cf3faa3 EnterCriticalSection 12441->12453 12443 6cf3f4e0 12444 6cf3f700 __dosmaperr 14 API calls 12443->12444 12445 6cf3f4f3 12444->12445 12454 6cf3f513 12445->12454 12448->12436 12452 6cf3faeb LeaveCriticalSection 12449->12452 12451 6cf3f4ac 12451->12440 12452->12451 12453->12443 12457 6cf3faeb LeaveCriticalSection 12454->12457 12456 6cf3f501 12456->12405 12457->12456 12459 6cf3b9d4 12458->12459 12460 6cf3cc2d 12458->12460 12459->12282 12466 6cf3d2f3 12460->12466 12463 6cf3d32e ___vcrt_FlsSetValue 6 API calls 12464 6cf3cc43 12463->12464 12471 6cf3cc07 12464->12471 12467 6cf3d192 ___vcrt_InitializeCriticalSectionEx 5 API calls 12466->12467 12468 6cf3d30d 12467->12468 12469 6cf3d325 TlsGetValue 12468->12469 12470 6cf3cc34 12468->12470 12469->12470 12470->12463 12472 6cf3cc11 12471->12472 12474 6cf3cc1e 12471->12474 12473 6cf3f0d9 ___vcrt_freefls@4 14 API calls 12472->12473 12472->12474 12473->12474 12474->12459 12481 6cf3cc5c 12475->12481 12477 6cf3b9b0 12477->12305 12478 6cf3f048 12477->12478 12479 6cf3f8c8 __dosmaperr 14 API calls 12478->12479 12480 6cf3b9bc 12479->12480 12480->12308 12480->12309 12482 6cf3cc65 12481->12482 12483 6cf3cc68 GetLastError 12481->12483 12482->12477 12484 6cf3d2f3 ___vcrt_FlsGetValue 6 API calls 12483->12484 12485 6cf3cc7d 12484->12485 12486 6cf3cce2 SetLastError 12485->12486 12487 6cf3d32e ___vcrt_FlsSetValue 6 API calls 12485->12487 12494 6cf3cc9c 12485->12494 12486->12477 12488 6cf3cc96 _unexpected 12487->12488 12489 6cf3ccbe 12488->12489 12490 6cf3d32e ___vcrt_FlsSetValue 6 API calls 12488->12490 12488->12494 12491 6cf3d32e ___vcrt_FlsSetValue 6 API calls 12489->12491 12492 6cf3ccd2 12489->12492 12490->12489 12491->12492 12493 6cf3f0d9 ___vcrt_freefls@4 14 API calls 12492->12493 12493->12494 12494->12486

                              Executed Functions

                              Function 6CF330C0 Relevance: 89.5, APIs: 22, Strings: 25, Instructions: 7264injectionmemorythreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CF3543B
                              • ShowWindow.USER32 ref: 6CF35451
                              • CreateProcessW.KERNELBASE ref: 6CF38AEE
                              • VirtualAlloc.KERNELBASE ref: 6CF38BC4
                              • VirtualAllocEx.KERNELBASE ref: 6CF38DE7
                              • VirtualAllocEx.KERNEL32 ref: 6CF38EF6
                              • WriteProcessMemory.KERNELBASE ref: 6CF38F94
                              • WriteProcessMemory.KERNELBASE ref: 6CF39308
                              • ReadProcessMemory.KERNEL32 ref: 6CF39CB4
                              • WriteProcessMemory.KERNEL32 ref: 6CF39DB1
                              • WriteProcessMemory.KERNELBASE ref: 6CF3A01D
                              • Wow64SetThreadContext.KERNEL32 ref: 6CF3A0CA
                              • ResumeThread.KERNELBASE ref: 6CF3A0D9
                              • CloseHandle.KERNEL32 ref: 6CF3A229
                              • CloseHandle.KERNEL32 ref: 6CF3A238
                              • VirtualAlloc.KERNEL32 ref: 6CF3A9A0
                              • GetThreadContext.KERNEL32 ref: 6CF3A9DF
                              • VirtualAllocEx.KERNEL32 ref: 6CF3AA21
                              • WriteProcessMemory.KERNEL32 ref: 6CF3AC12
                              • SetThreadContext.KERNEL32 ref: 6CF3AC74
                              • ResumeThread.KERNEL32 ref: 6CF3AC83
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Memory$AllocThreadVirtualWrite$Context$CloseHandleResumeWindow$ConsoleCreateReadShowWow64
                              • String ID: )6y$9&=x$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$\/LV$kernel32.dll$m0R$m0R$ntdll.dll$rdUl$rdUl$yY${1Z${1Z$~*:y$"[#$"[#$&3$yGH$yGH$zx$zx$r
                              • API String ID: 464527381-2271936391
                              • Opcode ID: dc988b7711e2069c728f21f8227db0891037de1ac5df577e15ac65385b9a8958
                              • Instruction ID: 2531fb8bdc8c1e3d391882baec12e93daf382f8f380b9475fef6f52565cab186
                              • Opcode Fuzzy Hash: dc988b7711e2069c728f21f8227db0891037de1ac5df577e15ac65385b9a8958
                              • Instruction Fuzzy Hash: 1AD31432A14225AFCF14CF2DC9843DA77F2AB87354F10A696D41CDB794DA358B899F80
                              Function 6CF311E0 Relevance: 32.9, APIs: 16, Strings: 2, Instructions: 1366filememoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: Handle$Module$Close$CurrentFileProcess$CreateInformationNameProtectVirtual
                              • String ID: .text$@
                              • API String ID: 3681693246-3116941980
                              • Opcode ID: 7c3ec1ae0e70b5640d6f73775462454827e4e53bc8671a2f22d46ee17cc93ae8
                              • Instruction ID: 17aa60bf71b65d44a6c23bbe27a1850a27824ecf206c60aafb7b380c3810114a
                              • Opcode Fuzzy Hash: 7c3ec1ae0e70b5640d6f73775462454827e4e53bc8671a2f22d46ee17cc93ae8
                              • Instruction Fuzzy Hash: DAC2EF76A15224DFDF14CF2CC9A97DEBBF1AB46300F00A19AD90DD7751C6368A898F81
                              Function 6CF328C0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 457COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1492 6cf328c0-6cf32912 1493 6cf32919-6cf32924 1492->1493 1494 6cf3292a-6cf32937 1493->1494 1495 6cf32c5f-6cf32ca8 1493->1495 1498 6cf32ef2-6cf32ef9 1494->1498 1499 6cf3293d-6cf3294a 1494->1499 1497 6cf32f20 1495->1497 1497->1493 1498->1497 1501 6cf32950-6cf3295d 1499->1501 1502 6cf32cad-6cf32cff 1499->1502 1504 6cf32963-6cf32970 1501->1504 1505 6cf32b0e-6cf32b7a 1501->1505 1502->1497 1507 6cf32d10-6cf32d1f 1504->1507 1508 6cf32976-6cf32983 1504->1508 1505->1497 1507->1497 1510 6cf32989-6cf32996 1508->1510 1511 6cf32efe-6cf32f08 1508->1511 1513 6cf32e2f-6cf32e3e 1510->1513 1514 6cf3299c-6cf329a9 1510->1514 1511->1497 1513->1497 1516 6cf32db8-6cf32e1e 1514->1516 1517 6cf329af-6cf329bc 1514->1517 1516->1497 1519 6cf329c2-6cf329cf 1517->1519 1520 6cf32b7f-6cf32b86 1517->1520 1522 6cf329d5-6cf329e2 1519->1522 1523 6cf32f0d-6cf32f14 1519->1523 1520->1497 1525 6cf32e23-6cf32e2a 1522->1525 1526 6cf329e8-6cf329f5 1522->1526 1523->1497 1525->1497 1528 6cf32e43-6cf32e84 1526->1528 1529 6cf329fb-6cf32a08 1526->1529 1528->1497 1531 6cf32f19 1529->1531 1532 6cf32a0e-6cf32a1b 1529->1532 1531->1497 1534 6cf32a21-6cf32a2e 1532->1534 1535 6cf32d04-6cf32d0b 1532->1535 1537 6cf32d24-6cf32d2b 1534->1537 1538 6cf32a34-6cf32a41 1534->1538 1535->1497 1537->1497 1540 6cf32d30-6cf32d40 1538->1540 1541 6cf32a47-6cf32a54 1538->1541 1540->1497 1543 6cf32ed7-6cf32ef1 call 6cf3b390 1541->1543 1544 6cf32a5a-6cf32a67 1541->1544 1548 6cf32ac3-6cf32b09 1544->1548 1549 6cf32a6d-6cf32a7a 1544->1549 1548->1497 1551 6cf32a80-6cf32a8d 1549->1551 1552 6cf32b9d-6cf32c5a GetModuleHandleW GetProcAddress call 6cf3bf90 NtQueryInformationProcess 1549->1552 1556 6cf32a93-6cf32aa0 1551->1556 1557 6cf32e89-6cf32ed2 1551->1557 1552->1497 1559 6cf32aa6-6cf32ab3 1556->1559 1560 6cf32b8b-6cf32b98 1556->1560 1557->1497 1562 6cf32d45-6cf32db3 1559->1562 1563 6cf32ab9-6cf32abe 1559->1563 1560->1497 1562->1497 1563->1497
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: NtQueryInformationProcess$ntdll.dll
                              • API String ID: 0-2906145389
                              • Opcode ID: 0531b74562300996d4f159e9037cff868bca4aa1ff267c54123510798c5b348d
                              • Instruction ID: 79cbf9c2726ed43695552e1b0a9998a5430750bca2e27581667954ffcae62734
                              • Opcode Fuzzy Hash: 0531b74562300996d4f159e9037cff868bca4aa1ff267c54123510798c5b348d
                              • Instruction Fuzzy Hash: C9F12276B11215AFCF04CF7CD9993CE77F2AB4A314F10A119E419EB796C63A8A048BD1
                              Function 03012187 Relevance: 3.0, Strings: 2, Instructions: 450COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1709 3012187-30121aa 1710 30121ad 1709->1710 1711 30121b2-30121c7 1710->1711 1712 3012288-3012298 1711->1712 1713 30121cd 1711->1713 1713->1710 1713->1712 1714 3012240-3012262 1713->1714 1715 3012202-3012223 1713->1715 1716 30121f5-3012200 1713->1716 1717 30121d4-30121d7 1713->1717 1718 30121e7-30121f3 1713->1718 1725 3012299-30122ee 1714->1725 1726 3012264-3012283 1714->1726 1724 3012225-301223b 1715->1724 1715->1725 1716->1711 1719 30121e0 1717->1719 1720 30121d9-30121de 1717->1720 1718->1711 1721 30121e5 1719->1721 1720->1721 1721->1711 1724->1711 1810 30122f0 call 3012ad0 1725->1810 1811 30122f0 call 3012372 1725->1811 1812 30122f0 call 3012365 1725->1812 1813 30122f0 call 3012397 1725->1813 1814 30122f0 call 3012187 1725->1814 1815 30122f0 call 3012338 1725->1815 1816 30122f0 call 3012bb8 1725->1816 1817 30122f0 call 3012418 1725->1817 1818 30122f0 call 301232b 1725->1818 1726->1711 1730 30122f6-3012304 1731 3012309-301231e 1730->1731 1732 3012ab1-3012ab8 1731->1732 1733 3012324 1731->1733 1734 30124f0-30124fb 1733->1734 1735 3012419-3012420 1733->1735 1736 301232b-3012336 1733->1736 1734->1731 1737 3012422-301242a 1735->1737 1738 301242c-301242f 1735->1738 1736->1731 1739 3012434-3012445 1737->1739 1738->1739 1741 3012abb-3012b54 1739->1741 1742 301244b-3012466 1739->1742 1745 3012b56-3012b58 1741->1745 1746 3012b7a-3012b7c 1741->1746 1742->1731 1747 3012b5a-3012b75 1745->1747 1748 3012b7d-3012b94 1745->1748 1746->1748 1747->1746 1749 3012b96-3012bbb 1748->1749 1750 3012bbc-3012be5 call 3012fc9 1748->1750 1749->1750 1754 3012beb 1750->1754 1755 3012bf0-3012c05 1754->1755 1756 3012e75-3012e87 1755->1756 1757 3012c0b 1755->1757 1757->1754 1757->1756 1758 3012e42-3012e45 1757->1758 1759 3012c82-3012c8e 1757->1759 1760 3012cc4-3012ccf 1757->1760 1761 3012d47-3012d4d 1757->1761 1762 3012c4a-3012c57 1757->1762 1763 3012c93-3012ca9 1757->1763 1764 3012c12-3012c28 1757->1764 1765 3012cd4-3012ce1 1757->1765 1766 3012e17-3012e22 1757->1766 1767 3012c59-3012c5f 1757->1767 1768 3012e58-3012e5e 1757->1768 1769 3012ddc-3012de9 1757->1769 1770 3012d22-3012d32 1757->1770 1771 3012e27-3012e3d 1757->1771 1772 3012ce6-3012cec 1757->1772 1773 3012d68-3012d72 1757->1773 1774 3012c2a-3012c35 1757->1774 1775 3012c6f-3012c7d 1757->1775 1776 3012cae-3012cb1 1757->1776 1777 3012dee-3012df7 1757->1777 1778 3012db3-3012dbc 1757->1778 1779 3012c37-3012c3a 1757->1779 1780 3012d37-3012d42 1757->1780 1781 3012d77-3012d7d 1757->1781 1790 3012e47-3012e4c 1758->1790 1791 3012e4e 1758->1791 1759->1755 1760->1755 1785 3012e8a-3012e8f 1761->1785 1786 3012d53-3012d63 1761->1786 1762->1755 1763->1755 1764->1755 1765->1755 1766->1755 1796 3012c61-3012c66 1767->1796 1797 3012c68 1767->1797 1768->1785 1792 3012e60-3012e70 1768->1792 1769->1755 1770->1755 1771->1755 1784 3012cf2-3012d02 1772->1784 1772->1785 1773->1755 1774->1755 1775->1755 1782 3012cb3-3012cb8 1776->1782 1783 3012cba 1776->1783 1777->1785 1789 3012dfd-3012e12 1777->1789 1778->1785 1788 3012dc2-3012dd7 1778->1788 1794 3012c43 1779->1794 1795 3012c3c-3012c41 1779->1795 1780->1755 1781->1785 1787 3012d83-3012d93 1781->1787 1798 3012cbf 1782->1798 1783->1798 1784->1785 1799 3012d08-3012d1d 1784->1799 1786->1755 1787->1785 1800 3012d99-3012dae 1787->1800 1788->1755 1789->1755 1805 3012e53 1790->1805 1791->1805 1792->1755 1802 3012c48 1794->1802 1795->1802 1804 3012c6d 1796->1804 1797->1804 1798->1755 1799->1755 1800->1755 1802->1755 1804->1755 1805->1755 1810->1730 1811->1730 1812->1730 1813->1730 1814->1730 1815->1730 1816->1730 1817->1730 1818->1730
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: {EL$-nyU
                              • API String ID: 0-345358387
                              • Opcode ID: 7d6caa71c9d53c1f36edb88862a5241b027b3e774d18ffe78363209cd536cd5f
                              • Instruction ID: 6af29a093150751752e28be7287824dd9bbd83ae323f17a40f1e38f408b0141c
                              • Opcode Fuzzy Hash: 7d6caa71c9d53c1f36edb88862a5241b027b3e774d18ffe78363209cd536cd5f
                              • Instruction Fuzzy Hash: 9502E271A05251CFCB56CF78C98066ABBF9FF5A310B158CA6D801DF266E334E951CB82
                              Function 03012AD0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1819 3012ad0-3012b54 1820 3012b56-3012b58 1819->1820 1821 3012b7a-3012b7c 1819->1821 1822 3012b5a-3012b75 1820->1822 1823 3012b7d-3012b94 1820->1823 1821->1823 1822->1821 1824 3012b96-3012bbb 1823->1824 1825 3012bbc-3012be5 call 3012fc9 1823->1825 1824->1825 1829 3012beb 1825->1829 1830 3012bf0-3012c05 1829->1830 1831 3012e75-3012e87 1830->1831 1832 3012c0b 1830->1832 1832->1829 1832->1831 1833 3012e42-3012e45 1832->1833 1834 3012c82-3012c8e 1832->1834 1835 3012cc4-3012ccf 1832->1835 1836 3012d47-3012d4d 1832->1836 1837 3012c4a-3012c57 1832->1837 1838 3012c93-3012ca9 1832->1838 1839 3012c12-3012c28 1832->1839 1840 3012cd4-3012ce1 1832->1840 1841 3012e17-3012e22 1832->1841 1842 3012c59-3012c5f 1832->1842 1843 3012e58-3012e5e 1832->1843 1844 3012ddc-3012de9 1832->1844 1845 3012d22-3012d32 1832->1845 1846 3012e27-3012e3d 1832->1846 1847 3012ce6-3012cec 1832->1847 1848 3012d68-3012d72 1832->1848 1849 3012c2a-3012c35 1832->1849 1850 3012c6f-3012c7d 1832->1850 1851 3012cae-3012cb1 1832->1851 1852 3012dee-3012df7 1832->1852 1853 3012db3-3012dbc 1832->1853 1854 3012c37-3012c3a 1832->1854 1855 3012d37-3012d42 1832->1855 1856 3012d77-3012d7d 1832->1856 1865 3012e47-3012e4c 1833->1865 1866 3012e4e 1833->1866 1834->1830 1835->1830 1860 3012e8a-3012e8f 1836->1860 1861 3012d53-3012d63 1836->1861 1837->1830 1838->1830 1839->1830 1840->1830 1841->1830 1871 3012c61-3012c66 1842->1871 1872 3012c68 1842->1872 1843->1860 1867 3012e60-3012e70 1843->1867 1844->1830 1845->1830 1846->1830 1859 3012cf2-3012d02 1847->1859 1847->1860 1848->1830 1849->1830 1850->1830 1857 3012cb3-3012cb8 1851->1857 1858 3012cba 1851->1858 1852->1860 1864 3012dfd-3012e12 1852->1864 1853->1860 1863 3012dc2-3012dd7 1853->1863 1869 3012c43 1854->1869 1870 3012c3c-3012c41 1854->1870 1855->1830 1856->1860 1862 3012d83-3012d93 1856->1862 1873 3012cbf 1857->1873 1858->1873 1859->1860 1874 3012d08-3012d1d 1859->1874 1861->1830 1862->1860 1875 3012d99-3012dae 1862->1875 1863->1830 1864->1830 1880 3012e53 1865->1880 1866->1880 1867->1830 1877 3012c48 1869->1877 1870->1877 1879 3012c6d 1871->1879 1872->1879 1873->1830 1874->1830 1875->1830 1877->1830 1879->1830 1880->1830
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: {EL$-nyU
                              • API String ID: 0-345358387
                              • Opcode ID: 93ef3fb51f1bbea36a5e83887317e596ccb7c3438c92d7800c408acb85c7a2bd
                              • Instruction ID: 89a27278efaa0cce9c7966b57bdbb0a6ece7388b4da1810635683a5e31b22e8f
                              • Opcode Fuzzy Hash: 93ef3fb51f1bbea36a5e83887317e596ccb7c3438c92d7800c408acb85c7a2bd
                              • Instruction Fuzzy Hash: BCB18C72905251CFCB56CF38C9C161ABBF9EF563107164CA6D802DF26AE335E961CB42
                              Function 03012BB8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1885 3012bb8-3012be5 call 3012fc9 1888 3012beb 1885->1888 1889 3012bf0-3012c05 1888->1889 1890 3012e75-3012e87 1889->1890 1891 3012c0b 1889->1891 1891->1888 1891->1890 1892 3012e42-3012e45 1891->1892 1893 3012c82-3012c8e 1891->1893 1894 3012cc4-3012ccf 1891->1894 1895 3012d47-3012d4d 1891->1895 1896 3012c4a-3012c57 1891->1896 1897 3012c93-3012ca9 1891->1897 1898 3012c12-3012c28 1891->1898 1899 3012cd4-3012ce1 1891->1899 1900 3012e17-3012e22 1891->1900 1901 3012c59-3012c5f 1891->1901 1902 3012e58-3012e5e 1891->1902 1903 3012ddc-3012de9 1891->1903 1904 3012d22-3012d32 1891->1904 1905 3012e27-3012e3d 1891->1905 1906 3012ce6-3012cec 1891->1906 1907 3012d68-3012d72 1891->1907 1908 3012c2a-3012c35 1891->1908 1909 3012c6f-3012c7d 1891->1909 1910 3012cae-3012cb1 1891->1910 1911 3012dee-3012df7 1891->1911 1912 3012db3-3012dbc 1891->1912 1913 3012c37-3012c3a 1891->1913 1914 3012d37-3012d42 1891->1914 1915 3012d77-3012d7d 1891->1915 1924 3012e47-3012e4c 1892->1924 1925 3012e4e 1892->1925 1893->1889 1894->1889 1919 3012e8a-3012e8f 1895->1919 1920 3012d53-3012d63 1895->1920 1896->1889 1897->1889 1898->1889 1899->1889 1900->1889 1930 3012c61-3012c66 1901->1930 1931 3012c68 1901->1931 1902->1919 1926 3012e60-3012e70 1902->1926 1903->1889 1904->1889 1905->1889 1918 3012cf2-3012d02 1906->1918 1906->1919 1907->1889 1908->1889 1909->1889 1916 3012cb3-3012cb8 1910->1916 1917 3012cba 1910->1917 1911->1919 1923 3012dfd-3012e12 1911->1923 1912->1919 1922 3012dc2-3012dd7 1912->1922 1928 3012c43 1913->1928 1929 3012c3c-3012c41 1913->1929 1914->1889 1915->1919 1921 3012d83-3012d93 1915->1921 1932 3012cbf 1916->1932 1917->1932 1918->1919 1933 3012d08-3012d1d 1918->1933 1920->1889 1921->1919 1934 3012d99-3012dae 1921->1934 1922->1889 1923->1889 1939 3012e53 1924->1939 1925->1939 1926->1889 1936 3012c48 1928->1936 1929->1936 1938 3012c6d 1930->1938 1931->1938 1932->1889 1933->1889 1934->1889 1936->1889 1938->1889 1939->1889
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: {EL$-nyU
                              • API String ID: 0-345358387
                              • Opcode ID: 6d430f789bf16b6ed5a9be807e182365bbf6c6b4252e337ab5247fafab33cb05
                              • Instruction ID: 9237416bef95dcccf83b414d1cca4397463f15e8ce0b3a1b1382920dbba059a6
                              • Opcode Fuzzy Hash: 6d430f789bf16b6ed5a9be807e182365bbf6c6b4252e337ab5247fafab33cb05
                              • Instruction Fuzzy Hash: 7A71A071A05152CFCB54CF2CCAD152FBBADAB94300B528C96D906DF26AC730ED61CB85
                              Function 03011810 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1944 3011810-3011814 1945 3011816-301182a 1944->1945 1946 301182c-30118e5 call 3010158 1944->1946 1945->1946 1953 30118ee 1946->1953 1954 30118f3-3011908 1953->1954 1955 30119f8-3011a3a call 3010168 1954->1955 1956 301190e 1954->1956 1979 3011a3c call 3012187 1955->1979 1980 3011a3c call 3012a29 1955->1980 1981 3011a3c call 30124b8 1955->1981 1982 3011a3c call 30128cd 1955->1982 1956->1953 1956->1955 1957 3011930-3011942 1956->1957 1958 3011915-301192e 1956->1958 1959 3011944-3011947 1956->1959 1960 3011957-3011981 1956->1960 1961 30119d6-30119f3 1956->1961 1962 3011986-3011993 1956->1962 1963 30119a9-30119c0 call 3011d18 1956->1963 1964 3011998-30119a4 1956->1964 1957->1954 1958->1954 1965 3011950 1959->1965 1966 3011949-301194e 1959->1966 1960->1954 1961->1954 1962->1954 1974 30119c6-30119d1 1963->1974 1964->1954 1968 3011955 1965->1968 1966->1968 1968->1954 1974->1954 1978 3011a42-3011a4b 1979->1978 1980->1978 1981->1978 1982->1978
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: Tecq$Tecq
                              • API String ID: 0-2088518435
                              • Opcode ID: 8496baf4ae1b5ee805a7a152968c895221826fce08a25264b019487afbfa95df
                              • Instruction ID: 902d0c520493134ae61ca43eadde7edb4001ded2d9b9c07c35e8dc342ae17411
                              • Opcode Fuzzy Hash: 8496baf4ae1b5ee805a7a152968c895221826fce08a25264b019487afbfa95df
                              • Instruction Fuzzy Hash: D7610471A053168FCB59CFA8C8806AEBBF2FF8A310B1444A9D502EF359D7745E11CB92
                              Function 0301182F Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1984 301182f-30118e5 call 3010158 1990 30118ee 1984->1990 1991 30118f3-3011908 1990->1991 1992 30119f8-3011a3a call 3010168 1991->1992 1993 301190e 1991->1993 2017 3011a3c call 3012187 1992->2017 2018 3011a3c call 3012a29 1992->2018 2019 3011a3c call 30124b8 1992->2019 2020 3011a3c call 30128cd 1992->2020 1993->1990 1993->1992 1994 3011930-3011942 1993->1994 1995 3011915-301192e 1993->1995 1996 3011944-3011947 1993->1996 1997 3011957-3011981 1993->1997 1998 30119d6-30119f3 1993->1998 1999 3011986-3011993 1993->1999 2000 30119a9-30119c0 call 3011d18 1993->2000 2001 3011998-30119a4 1993->2001 1994->1991 1995->1991 2002 3011950 1996->2002 2003 3011949-301194e 1996->2003 1997->1991 1998->1991 1999->1991 2011 30119c6-30119d1 2000->2011 2001->1991 2005 3011955 2002->2005 2003->2005 2005->1991 2011->1991 2015 3011a42-3011a4b 2017->2015 2018->2015 2019->2015 2020->2015
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: Tecq$Tecq
                              • API String ID: 0-2088518435
                              • Opcode ID: e6b97745521612322e3a4b6480b75d4972b95febd2698f7768f820aa3846a078
                              • Instruction ID: b7b75790ecbd3ca4594d1919838bf6efdeb2351fc9f3d0c52b2c476e72e8508a
                              • Opcode Fuzzy Hash: e6b97745521612322e3a4b6480b75d4972b95febd2698f7768f820aa3846a078
                              • Instruction Fuzzy Hash: 3C510671A053168FCB49CFB9C8906AEBBF2FF8A310B1444A9D506EF355D6745A01CB92
                              Function 030118A8 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2021 30118a8-30118e5 call 3010158 2026 30118ee 2021->2026 2027 30118f3-3011908 2026->2027 2028 30119f8-3011a3a call 3010168 2027->2028 2029 301190e 2027->2029 2052 3011a3c call 3012187 2028->2052 2053 3011a3c call 3012a29 2028->2053 2054 3011a3c call 30124b8 2028->2054 2055 3011a3c call 30128cd 2028->2055 2029->2026 2029->2028 2030 3011930-3011942 2029->2030 2031 3011915-301192e 2029->2031 2032 3011944-3011947 2029->2032 2033 3011957-3011981 2029->2033 2034 30119d6-30119f3 2029->2034 2035 3011986-3011993 2029->2035 2036 30119a9-30119c0 call 3011d18 2029->2036 2037 3011998-30119a4 2029->2037 2030->2027 2031->2027 2038 3011950 2032->2038 2039 3011949-301194e 2032->2039 2033->2027 2034->2027 2035->2027 2047 30119c6-30119d1 2036->2047 2037->2027 2041 3011955 2038->2041 2039->2041 2041->2027 2047->2027 2051 3011a42-3011a4b 2052->2051 2053->2051 2054->2051 2055->2051
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: Tecq$Tecq
                              • API String ID: 0-2088518435
                              • Opcode ID: 855fad47d9fc877606f59d51e2940a8ea19a8e7d5a37d515ca8f295605642c01
                              • Instruction ID: 4016bac755354bb1a580ed37abf8cc1b2490c42929745858480a33f13e101dbb
                              • Opcode Fuzzy Hash: 855fad47d9fc877606f59d51e2940a8ea19a8e7d5a37d515ca8f295605642c01
                              • Instruction Fuzzy Hash: 9F41BB70F052168FCB48DFA9C89456FBBB6FB89600F108429D516EB394CA749D01CB91
                              Function 03016500 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: $cq
                              • API String ID: 0-2110363268
                              • Opcode ID: 6192c543031e914e3d1ed9ee3937d4ab3204dbd7cbca50626bbb1c874facee0e
                              • Instruction ID: d364aadbbffc53d45102aff63d25ddc6ab710925e6b0294dd82d137f19113a65
                              • Opcode Fuzzy Hash: 6192c543031e914e3d1ed9ee3937d4ab3204dbd7cbca50626bbb1c874facee0e
                              • Instruction Fuzzy Hash: 7341C274B012059FC754DB79891472F7BABBBC8700F24882DE50ADB399EE35DD028BA1
                              Function 03017330 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: z3h
                              • API String ID: 0-3127756237
                              • Opcode ID: be3690afc51e532850ecd63c2b71401fc9fcd9f32a7a3bb6914763bbc166899c
                              • Instruction ID: a9c996c6a6382f3709a869eb3cb05731a96fefe776507e935f6c1857821dd29b
                              • Opcode Fuzzy Hash: be3690afc51e532850ecd63c2b71401fc9fcd9f32a7a3bb6914763bbc166899c
                              • Instruction Fuzzy Hash: DD312071306302C7CBA8DA3A855923F698B5BC4A407484A7E9C47CB390EE34DD61839B
                              Function 03017540 Relevance: .3, Instructions: 261COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17b9811d612064075faa49cba6e9f02032847ed66dc77ce4c035ba8ce227e5e1
                              • Instruction ID: 17a30d05a4f92042058dafbe08953034dbfbf981fd7c689b3f6e83a86c2d3ca8
                              • Opcode Fuzzy Hash: 17b9811d612064075faa49cba6e9f02032847ed66dc77ce4c035ba8ce227e5e1
                              • Instruction Fuzzy Hash: F2A1EF30F192148BCB19CB2CC59156EFBF6AFC5700B68C9AAE496DB368C670ED51CB50
                              Function 03017917 Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f40c65090706571b8cec8dc06a881d6ec9cb1035f2ab245b3903c64a2440732
                              • Instruction ID: 58961186a193e8a8ce1a9fdbedc22e6e5a2ac8b0283cfc8ff85fca9382a1caad
                              • Opcode Fuzzy Hash: 1f40c65090706571b8cec8dc06a881d6ec9cb1035f2ab245b3903c64a2440732
                              • Instruction Fuzzy Hash: 97417F31B16115CBC784CAB9DE4017FB6A9AFC1E1072158279807DF6D4DF30CE2A8792
                              Function 03017928 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 171af1b6823bae407c7f72ec8c1c077ed505167cd0cad79bda01f2d049854524
                              • Instruction ID: f7259a4718ce427102a0ca5227fd6cf739108c36c53f76c6befdabc5f8ffe4df
                              • Opcode Fuzzy Hash: 171af1b6823bae407c7f72ec8c1c077ed505167cd0cad79bda01f2d049854524
                              • Instruction Fuzzy Hash: B6415D31B16115CBC784DAB9DE8117FB5AAAFD1A10721582B9807DB6D4DF30CE1A8782
                              Function 6CF3B4F8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1442 6cf3b4f8-6cf3b50b call 6cf3bd50 1445 6cf3b511-6cf3b533 call 6cf3b940 1442->1445 1446 6cf3b50d-6cf3b50f 1442->1446 1450 6cf3b5a0-6cf3b5b9 call 6cf3bbda call 6cf3bd50 1445->1450 1451 6cf3b535-6cf3b578 call 6cf3ba0b call 6cf3b8c7 call 6cf3bd23 call 6cf3b58d call 6cf3bbac call 6cf3b59a 1445->1451 1448 6cf3b57a-6cf3b589 1446->1448 1462 6cf3b5bb-6cf3b5c1 1450->1462 1463 6cf3b5ca-6cf3b5d1 1450->1463 1451->1448 1462->1463 1465 6cf3b5c3-6cf3b5c5 1462->1465 1466 6cf3b5d3-6cf3b5d6 1463->1466 1467 6cf3b5dd-6cf3b5f1 dllmain_raw 1463->1467 1469 6cf3b6a3-6cf3b6b2 1465->1469 1466->1467 1470 6cf3b5d8-6cf3b5db 1466->1470 1472 6cf3b5f7-6cf3b608 dllmain_crt_dispatch 1467->1472 1473 6cf3b69a-6cf3b6a1 1467->1473 1474 6cf3b60e-6cf3b620 call 6cf3ace0 1470->1474 1472->1473 1472->1474 1473->1469 1480 6cf3b622-6cf3b624 1474->1480 1481 6cf3b649-6cf3b64b 1474->1481 1480->1481 1483 6cf3b626-6cf3b644 call 6cf3ace0 call 6cf3b4f8 dllmain_raw 1480->1483 1484 6cf3b652-6cf3b663 dllmain_crt_dispatch 1481->1484 1485 6cf3b64d-6cf3b650 1481->1485 1483->1481 1484->1473 1487 6cf3b665-6cf3b697 dllmain_raw 1484->1487 1485->1473 1485->1484 1487->1473
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6CF3B53F
                              • ___scrt_uninitialize_crt.LIBCMT ref: 6CF3B559
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: Initialize___scrt_uninitialize_crt
                              • String ID:
                              • API String ID: 2442719207-0
                              • Opcode ID: 2472b6c04cee2c7dd8d430604231bd1aa4a5a3a9191a2dbd27bd9a2455d56d69
                              • Instruction ID: b29a0e54b4a6b0a5fc7923a96f67de55cbae1023faf6f7db1204a7226cb30e07
                              • Opcode Fuzzy Hash: 2472b6c04cee2c7dd8d430604231bd1aa4a5a3a9191a2dbd27bd9a2455d56d69
                              • Instruction Fuzzy Hash: 61419272E05A39FEDB118F65CC50BDE7BB4EB80758F115959E81C67B50D7308A058BE0
                              Function 6CF3B5A8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1565 6cf3b5a8-6cf3b5b9 call 6cf3bd50 1568 6cf3b5bb-6cf3b5c1 1565->1568 1569 6cf3b5ca-6cf3b5d1 1565->1569 1568->1569 1570 6cf3b5c3-6cf3b5c5 1568->1570 1571 6cf3b5d3-6cf3b5d6 1569->1571 1572 6cf3b5dd-6cf3b5f1 dllmain_raw 1569->1572 1573 6cf3b6a3-6cf3b6b2 1570->1573 1571->1572 1574 6cf3b5d8-6cf3b5db 1571->1574 1575 6cf3b5f7-6cf3b608 dllmain_crt_dispatch 1572->1575 1576 6cf3b69a-6cf3b6a1 1572->1576 1577 6cf3b60e-6cf3b620 call 6cf3ace0 1574->1577 1575->1576 1575->1577 1576->1573 1580 6cf3b622-6cf3b624 1577->1580 1581 6cf3b649-6cf3b64b 1577->1581 1580->1581 1582 6cf3b626-6cf3b644 call 6cf3ace0 call 6cf3b4f8 dllmain_raw 1580->1582 1583 6cf3b652-6cf3b663 dllmain_crt_dispatch 1581->1583 1584 6cf3b64d-6cf3b650 1581->1584 1582->1581 1583->1576 1586 6cf3b665-6cf3b697 dllmain_raw 1583->1586 1584->1576 1584->1583 1586->1576
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: dllmain_raw$dllmain_crt_dispatch
                              • String ID:
                              • API String ID: 3136044242-0
                              • Opcode ID: a1c370aa46f6ae4558e1c9b1fbb6d3c9619d14f9795ec8ae3d68ec03196736a6
                              • Instruction ID: bde867fb6c0823ee7fa49f9303b084c8570b373a191b9ff78612e6385199ead6
                              • Opcode Fuzzy Hash: a1c370aa46f6ae4558e1c9b1fbb6d3c9619d14f9795ec8ae3d68ec03196736a6
                              • Instruction Fuzzy Hash: 9B21A072E05A39FBCB218F16CC50AAF3A79EB80B98B115955E81C5BA50C7308D018BE0
                              Function 03010A6E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1591 3010a6e-3010a7f 1592 3010a81-3010a82 1591->1592 1593 3010ab6-3010ab8 1591->1593 1592->1593 1594 3011032-3011180 VirtualProtect 1593->1594 1595 3010abe-3010ac8 1593->1595 1610 3011182-3011188 1594->1610 1611 3011189-30111aa 1594->1611 1595->1594 1596 3010ace-3010ad5 1595->1596 1596->1594 1598 3010adb-3010ae5 1596->1598 1598->1594 1600 3010aeb-3010af2 1598->1600 1600->1594 1602 3010af8-3010b03 1600->1602 1602->1594 1604 3010b09-3010b10 1602->1604 1604->1594 1606 3010b16-3010b20 1604->1606 1606->1594 1607 3010b26-3010b2d 1606->1607 1607->1594 1609 3010b33-3010b57 call 3010514 1607->1609 1615 3010b5c-3010b60 1609->1615 1610->1611 1616 3010b62-3010b6a 1615->1616 1617 3010b6c-3010b71 1615->1617 1618 3010b74-3010b7a 1616->1618 1617->1618 1618->1594
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 1df3e3392292f3b4b5d2f15bf43eb6f7182a8f27ec340e0bdcf1c5ae52fe5222
                              • Instruction ID: b391f95b32476c8a1ad569f6258941666c41d9affa7b5ea57b3a1810401a1d20
                              • Opcode Fuzzy Hash: 1df3e3392292f3b4b5d2f15bf43eb6f7182a8f27ec340e0bdcf1c5ae52fe5222
                              • Instruction Fuzzy Hash: 5C81FFB1C02345CFCB6ACF69C480A9ABBF0FF1A314F5884ADD4959B216E372A951CF51
                              Function 03010AA9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1619 3010aa9-3010aab 1620 3010ab1-3010ab8 1619->1620 1621 3011032-3011180 VirtualProtect 1619->1621 1620->1621 1622 3010abe-3010ac8 1620->1622 1637 3011182-3011188 1621->1637 1638 3011189-30111aa 1621->1638 1622->1621 1623 3010ace-3010ad5 1622->1623 1623->1621 1625 3010adb-3010ae5 1623->1625 1625->1621 1627 3010aeb-3010af2 1625->1627 1627->1621 1629 3010af8-3010b03 1627->1629 1629->1621 1631 3010b09-3010b10 1629->1631 1631->1621 1633 3010b16-3010b20 1631->1633 1633->1621 1634 3010b26-3010b2d 1633->1634 1634->1621 1636 3010b33-3010b57 call 3010514 1634->1636 1642 3010b5c-3010b60 1636->1642 1637->1638 1643 3010b62-3010b6a 1642->1643 1644 3010b6c-3010b71 1642->1644 1645 3010b74-3010b7a 1643->1645 1644->1645 1645->1621
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: @
                              • API String ID: 544645111-2766056989
                              • Opcode ID: 6307cf610085e3beb34eb8254b9981bf1731856608ea6ddfb7290680cb0914d6
                              • Instruction ID: 0051bf9422ddc8ae16226716ca6ccbf910b5fe89cf03e94de732357b1805c81f
                              • Opcode Fuzzy Hash: 6307cf610085e3beb34eb8254b9981bf1731856608ea6ddfb7290680cb0914d6
                              • Instruction Fuzzy Hash: F971E0B1C02344DFCBAACF69C480A9ABBF0FF16314F5884ADD4959B215E372A951CF51
                              Function 6CF3B3F1 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1646 6cf3b3f1-6cf3b3ff call 6cf3bd50 call 6cf3ba3b 1650 6cf3b404-6cf3b407 1646->1650 1651 6cf3b4de 1650->1651 1652 6cf3b40d-6cf3b425 call 6cf3b940 1650->1652 1654 6cf3b4e0-6cf3b4ef 1651->1654 1656 6cf3b4f0-6cf3b4f7 call 6cf3bbda 1652->1656 1657 6cf3b42b-6cf3b43c call 6cf3b99d 1652->1657 1662 6cf3b48b-6cf3b499 call 6cf3b4d4 1657->1662 1663 6cf3b43e-6cf3b460 call 6cf3bcf7 call 6cf3b8bb call 6cf3b8df call 6cf3e3b7 1657->1663 1662->1651 1668 6cf3b49b-6cf3b4a5 call 6cf3bbd4 1662->1668 1663->1662 1682 6cf3b462-6cf3b469 call 6cf3b972 1663->1682 1674 6cf3b4a7-6cf3b4b0 call 6cf3bafb 1668->1674 1675 6cf3b4c6-6cf3b4cf 1668->1675 1674->1675 1681 6cf3b4b2-6cf3b4c4 1674->1681 1675->1654 1681->1675 1682->1662 1686 6cf3b46b-6cf3b488 call 6cf3e38c 1682->1686 1686->1662
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6CF3B43E
                                • Part of subcall function 6CF3B8BB: InitializeSListHead.KERNEL32(6CF99420,6CF3B448,6CF4D650,00000010,6CF3B3D9,?,?,?,6CF3B601,?,00000001,?,?,00000001,?,6CF4D698), ref: 6CF3B8C0
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF3B4A8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                              • String ID:
                              • API String ID: 3231365870-0
                              • Opcode ID: c533f914f0eb942f79f52ea1f23751376dea1648a3bbc4f76c93a34b562b1373
                              • Instruction ID: a7f9168ffad60e850366c3b779782acc44428be1b6b20566465bfc4a78071540
                              • Opcode Fuzzy Hash: c533f914f0eb942f79f52ea1f23751376dea1648a3bbc4f76c93a34b562b1373
                              • Instruction Fuzzy Hash: 8321D431605A25BDEF00AFB8C4317CC3BA05F4226CF11AC1AC85C67F82CB220548C6E9
                              Function 6CF41A1C Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1689 6cf41a1c-6cf41a21 1690 6cf41a23-6cf41a3b 1689->1690 1691 6cf41a3d-6cf41a41 1690->1691 1692 6cf41a49-6cf41a52 1690->1692 1691->1692 1693 6cf41a43-6cf41a47 1691->1693 1694 6cf41a64 1692->1694 1695 6cf41a54-6cf41a57 1692->1695 1699 6cf41abe-6cf41ac2 1693->1699 1698 6cf41a66-6cf41a73 GetStdHandle 1694->1698 1696 6cf41a60-6cf41a62 1695->1696 1697 6cf41a59-6cf41a5e 1695->1697 1696->1698 1697->1698 1700 6cf41a75-6cf41a77 1698->1700 1701 6cf41aa0-6cf41ab2 1698->1701 1699->1690 1702 6cf41ac8-6cf41acb 1699->1702 1700->1701 1703 6cf41a79-6cf41a82 GetFileType 1700->1703 1701->1699 1704 6cf41ab4-6cf41ab7 1701->1704 1703->1701 1705 6cf41a84-6cf41a8d 1703->1705 1704->1699 1706 6cf41a95-6cf41a98 1705->1706 1707 6cf41a8f-6cf41a93 1705->1707 1706->1699 1708 6cf41a9a-6cf41a9e 1706->1708 1707->1699 1708->1699
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 6CF41A68
                              • GetFileType.KERNELBASE(00000000), ref: 6CF41A7A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileHandleType
                              • String ID:
                              • API String ID: 3000768030-0
                              • Opcode ID: 3606b76faabfd5c16f6a0727c633333b0f3728d81285889defd1d783cf34e4f8
                              • Instruction ID: 98af4e04b0b13457c1a5f5f8b85f4f2de603f06121c03af76fc40a22731c609f
                              • Opcode Fuzzy Hash: 3606b76faabfd5c16f6a0727c633333b0f3728d81285889defd1d783cf34e4f8
                              • Instruction Fuzzy Hash: E3119A737147414AC7348E3E8D84712BEA49757274B35C71AD1B6C6AF3C630D6A6C281
                              Function 030108E2 Relevance: 1.7, APIs: 1, Instructions: 220COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2102 30108e2-3010935 2106 3010957-301095c 2102->2106 2107 3010937-3010941 2102->2107 2110 301095f-3010977 2106->2110 2108 3011032-3011180 VirtualProtect 2107->2108 2109 3010947-3010955 2107->2109 2123 3011182-3011188 2108->2123 2124 3011189-30111aa 2108->2124 2109->2110 2116 301097c-3010991 2110->2116 2118 3010997-3010a09 2116->2118 2119 301102a-3011031 2116->2119 2118->2116 2119->2108 2123->2124
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b549b71ab3f157111c8e3cb02f74162a13f29809f931b026e4f5352778c31f86
                              • Instruction ID: 99835ffed64213baa40af5af40ffd96e1442c9b4b96fa120500c807d786abf1a
                              • Opcode Fuzzy Hash: b549b71ab3f157111c8e3cb02f74162a13f29809f931b026e4f5352778c31f86
                              • Instruction Fuzzy Hash: 5C81FFB1901345CFCB56CF79C880AEABBF0FF5A324F1440A9D044DB222E3769951CB91
                              Function 03010C37 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96f65126f06a0272cf042c16d8285736b276d220b7e59ea03ece47c62b977db2
                              • Instruction ID: d11d2683cf0e345a83441b5605324b5fe3f9920e9a90b7695fd0e91c5bfb091e
                              • Opcode Fuzzy Hash: 96f65126f06a0272cf042c16d8285736b276d220b7e59ea03ece47c62b977db2
                              • Instruction Fuzzy Hash: AA61B1B2C01344CFCB66CF69C88469ABBF4FF1A314F1884AAD495DB216E372A551CF51
                              Function 03010F7C Relevance: 1.7, APIs: 1, Instructions: 165memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 7ccabd881b8482dd42441c1d71478be4c903493f34c6203982174ddcdef0ee8c
                              • Instruction ID: cbc3609a216a004118d892792cb8e574c75d95a7d435552f4d2bc75a9b717849
                              • Opcode Fuzzy Hash: 7ccabd881b8482dd42441c1d71478be4c903493f34c6203982174ddcdef0ee8c
                              • Instruction Fuzzy Hash: 2C61D2B2C02344CFCB66CF69C880A9ABBF4FF1A314F1884A9D499DB211E376A551CF51
                              Function 030109B2 Relevance: 1.7, APIs: 1, Instructions: 158memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 54abb69e5ef1f259fdfb632b8ed6b0a47d0a40e04c991f787dd0410bc6184785
                              • Instruction ID: d62b9a5004ef07fbe7666b58dca8a245b8b1c8d6e8fbe1b6d00f6a56e4d4b527
                              • Opcode Fuzzy Hash: 54abb69e5ef1f259fdfb632b8ed6b0a47d0a40e04c991f787dd0410bc6184785
                              • Instruction Fuzzy Hash: 1A51BEB2801345CFCB66CF69C88079ABBF4FF1A324F1884A9D484DB216E376A951CF51
                              Function 03010DF0 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c15de0f77ebb618ce228e535fd16a177fa7b03a52624d97651999c91abaa25d
                              • Instruction ID: abead54c0068dd1e61a53e9d6e02ff07789202c35e827990f06cb3edaa1a338f
                              • Opcode Fuzzy Hash: 5c15de0f77ebb618ce228e535fd16a177fa7b03a52624d97651999c91abaa25d
                              • Instruction Fuzzy Hash: 5A51ACB2801355CFCB66CF69C881A9ABBF4FF1A324F1544A9D484DB211E336A951CF51
                              Function 03010BE5 Relevance: 1.6, APIs: 1, Instructions: 149memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 31f9c05e0627580920cb251cc6c6e862e87f2efa15ee9a4f20b3f3eb26e42cb1
                              • Instruction ID: 88bf6dbf029e09bf8c2d025457720d522a9b8d3865a10cf6d2546c540d5fbb70
                              • Opcode Fuzzy Hash: 31f9c05e0627580920cb251cc6c6e862e87f2efa15ee9a4f20b3f3eb26e42cb1
                              • Instruction Fuzzy Hash: C1519DB28013458FCB66CF69C880BDABBF4FF1A324F1544A9D4849B212E376A551CF51
                              Function 03010D73 Relevance: 1.6, APIs: 1, Instructions: 149memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 4c4531d08f217dcc48914ee185a305d91c8cc88d87a30579c47b0beabecc6648
                              • Instruction ID: c235fb1b9165bdfed74b5fc3d591a15d5a9c1fcc0976f9835b8cd34921171f56
                              • Opcode Fuzzy Hash: 4c4531d08f217dcc48914ee185a305d91c8cc88d87a30579c47b0beabecc6648
                              • Instruction Fuzzy Hash: A851BEB2801345DFCB66CF69C881BDABBF4FF1A324F1444A9D4889B212E376A551CF51
                              Function 03010DA1 Relevance: 1.6, APIs: 1, Instructions: 149memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 49006523b88d12c8378b8bdfa58543b59a6868efc8f1ad31ba88abc8ce46129d
                              • Instruction ID: 5c0e376a5c0c263defbcba77da2d390d0fddb3a3096c97f7a60e824da0e14641
                              • Opcode Fuzzy Hash: 49006523b88d12c8378b8bdfa58543b59a6868efc8f1ad31ba88abc8ce46129d
                              • Instruction Fuzzy Hash: 7D51BFB2801345CFCB66CF69C880B9ABBF4FF1A324F1884A9D4849B212E376A551CF51
                              Function 03010CBB Relevance: 1.6, APIs: 1, Instructions: 149memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 51c5fafbe9bfb19d3a6cf4bc271c50bc4086ad19ce25a577b528ad5750b61a20
                              • Instruction ID: 4b68bb6505c382df6d1a5d83da91a172393c3a90bc963bf6ce2a6db1abb1b899
                              • Opcode Fuzzy Hash: 51c5fafbe9bfb19d3a6cf4bc271c50bc4086ad19ce25a577b528ad5750b61a20
                              • Instruction Fuzzy Hash: 1851BFB2801345CFCB66CF69C880BDABBF4FF1A324F1484A9D4849B212E376A551DF51
                              Function 03010DCD Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7181ab77a286a3fa8e64cb51eeb0cff0ae7f7d764356510bd062216b852fb91
                              • Instruction ID: ad6af35b90e2ea9f309503b076e3c34f26bf4d879b0e37071c44639bfc7943f3
                              • Opcode Fuzzy Hash: f7181ab77a286a3fa8e64cb51eeb0cff0ae7f7d764356510bd062216b852fb91
                              • Instruction Fuzzy Hash: 5651AEB28013558FCB66CF69C880B9ABBF4FF1A324F1484A9D4849B216E3766951CF51
                              Function 03010B94 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f72224a6806d82393153cd06cb41ec70881ef0689a3a8bf2e151e678a99abd
                              • Instruction ID: 98c2a6506d347a1bcb4b66d5c7f3938326f334b327902bf87134143ec27d179a
                              • Opcode Fuzzy Hash: b0f72224a6806d82393153cd06cb41ec70881ef0689a3a8bf2e151e678a99abd
                              • Instruction Fuzzy Hash: C051AEB28013458FCB66CFA9C880BDABBF4FF1A324F1484A9D484DB216E3766951CF51
                              Function 0301640B Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0301649B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: e35bd7c272dd01544c8b0de7d7bded2eca3ff4cd27f77fadc1e525c3c020559f
                              • Instruction ID: 957ca2cad41a07085c3070c6c456edeb587c3bc629c3cc6f25573881a27d9cad
                              • Opcode Fuzzy Hash: e35bd7c272dd01544c8b0de7d7bded2eca3ff4cd27f77fadc1e525c3c020559f
                              • Instruction Fuzzy Hash: 342137B2C002499FCB10CFAAD484ADEFFF4EB49310F14846AE898A7251C339A545CF61
                              Function 03016FE8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNELBASE(00000000), ref: 03017F70
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 3d55a306dbd56120eb805577ac0644398e7b02f5b6cd636114d6b23430be254e
                              • Instruction ID: 87cbe35813142c190342df7c53b096ee5c9cb88df6eb8b90d37c50eae7af71f9
                              • Opcode Fuzzy Hash: 3d55a306dbd56120eb805577ac0644398e7b02f5b6cd636114d6b23430be254e
                              • Instruction Fuzzy Hash: FB2144B1C046199BCB10DF9AD844A9EFBF4FB48710F10812AE829A3340D374A914CFE5
                              Function 03011100 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 03011173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: b2ad23e655f0ef92a9a7532542662e59766cdd2bf04cff9148ac94a88b73b1dc
                              • Instruction ID: 23fb870d1be4327368d519d56f408fc67e6e3b6cba238637f1c81c23c114eca5
                              • Opcode Fuzzy Hash: b2ad23e655f0ef92a9a7532542662e59766cdd2bf04cff9148ac94a88b73b1dc
                              • Instruction Fuzzy Hash: 3721F6B6D002499FCB10DF9AD984BDEFBF8FB48320F108429E959A7250D379A545CFA1
                              Function 03016428 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0301649B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 27f216cab1f709e453a30dae9f7ace706399b27ee7fc55639520c31de814b5f7
                              • Instruction ID: 618f17c66c6ee1524dcda340e8a78a75a4421eeda7855d27c42fec4b23f80e55
                              • Opcode Fuzzy Hash: 27f216cab1f709e453a30dae9f7ace706399b27ee7fc55639520c31de814b5f7
                              • Instruction Fuzzy Hash: 4F2126B2D002499FCB10DF9AD884BDEFBF4FB48320F108429E858A3250D379A544DFA1
                              Function 03017EF9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNELBASE(00000000), ref: 03017F70
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: d9ff2500e1c6b34763c6cadd5c99e88e237961618e3a974e3ad566cfa6e007b0
                              • Instruction ID: b436f41aef15b56efce32601e7e2f1cb398e452c0edd2a063d771069f872752f
                              • Opcode Fuzzy Hash: d9ff2500e1c6b34763c6cadd5c99e88e237961618e3a974e3ad566cfa6e007b0
                              • Instruction Fuzzy Hash: D52156B1C0465A8BCB14CFAAD844ADEFBF4FF49720F14825AE429B7240C334A944CFA1
                              Function 03016FDC Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?), ref: 030182EF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 9d427489c27836cc2e0f616354a9aad1a86055fd6fdd014c0a60a4397c687ad8
                              • Instruction ID: eacfbae2a1bcd6fb02688a9f881f0be652daee7d283b2672b02d211c96362669
                              • Opcode Fuzzy Hash: 9d427489c27836cc2e0f616354a9aad1a86055fd6fdd014c0a60a4397c687ad8
                              • Instruction Fuzzy Hash: CF1146B1C007498FCB10DF99C444BDEFBF4EB88320F248429E519A7340D778A944CBA5
                              Function 03018288 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?), ref: 030182EF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 0e943aea8c3a65664460ea8b5a7691dc6a9c7e071fc4fdfb56f9ead1c2ab5489
                              • Instruction ID: 3e07d53c00666c77cbfc9569b2ce74f3876ddd2ef162cb34ea2a940e93c0702a
                              • Opcode Fuzzy Hash: 0e943aea8c3a65664460ea8b5a7691dc6a9c7e071fc4fdfb56f9ead1c2ab5489
                              • Instruction Fuzzy Hash: C21185B2C003498FCB10CFA9C545BEEBBF0EF48320F24885AD418A7240D338A545CFA5
                              Function 6CF423DA Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,6CF40D27,6CF420F4,?,6CF40D27,00000220,?,?,6CF420F4), ref: 6CF4240C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 108ae247cccad6efdf82b61b86059a5fc6fa1991ead362d0f7dc35f39638f920
                              • Instruction ID: 61d4f37da8f77f0540e92f0c1d95055215aef9594f4ae95aa77d05e19e0a6c3a
                              • Opcode Fuzzy Hash: 108ae247cccad6efdf82b61b86059a5fc6fa1991ead362d0f7dc35f39638f920
                              • Instruction Fuzzy Hash: 3FE065726411215AFB112B6A8C0CB977E5CDB527F9F22C135ED28D69A3CB62C84182F5

                              Non-executed Functions

                              Function 6CF3BBDA Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CF3BBE6
                              • IsDebuggerPresent.KERNEL32 ref: 6CF3BCB2
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF3BCCB
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 6CF3BCD5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                              • String ID:
                              • API String ID: 254469556-0
                              • Opcode ID: cfb44875dad7ee428364f34de9a47f62e291623a13ec013d0d044a062a5a6351
                              • Instruction ID: 4fe1edd338966307c9384e25c6287fb3224352365bebc242d91adb9e93a8e164
                              • Opcode Fuzzy Hash: cfb44875dad7ee428364f34de9a47f62e291623a13ec013d0d044a062a5a6351
                              • Instruction Fuzzy Hash: 8A31F975D15228EBDF60DFA4C9497CDBBB8BF08345F1055AAE40CAB340EB709A848F85
                              Function 6CF3FB77 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF3FC6F
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF3FC79
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF3FC86
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 070e04086f2b61a99fdf7de2fe284db0554f71735c44ff2962e8d5d8ff806b25
                              • Instruction ID: cce1a780705fb739a80713d84f39605f4922c41196006011efae683b39400239
                              • Opcode Fuzzy Hash: 070e04086f2b61a99fdf7de2fe284db0554f71735c44ff2962e8d5d8ff806b25
                              • Instruction Fuzzy Hash: 5131F47091162CEBCB61DF28D8887CDBBB8BF08354F1055EAE81CA6250E7309B858F94
                              Function 6CF3ACE0 Relevance: 4.2, Strings: 3, Instructions: 467COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: vwP$y:pF$y:pF
                              • API String ID: 0-913257228
                              • Opcode ID: c68895f817f32d502032dde508137a4f4c34adaca748a20d7f86779c88472320
                              • Instruction ID: 583fd020fa6100f31460d2f8e4309fa05a3e4959eecdcb1378d2700efedbffb7
                              • Opcode Fuzzy Hash: c68895f817f32d502032dde508137a4f4c34adaca748a20d7f86779c88472320
                              • Instruction Fuzzy Hash: B7F12572A445269FCF04CEBDC5A43DF77F29B46314F21A605D428EBB94C62B8E098BD1
                              Function 6CF467C5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF467C0,?,?,00000008,?,?,6CF463C3,00000000), ref: 6CF469F2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: c5090a066b35cf352e457abe229a289034bbde9d354a310561203286fbb15b0e
                              • Instruction ID: 891acbbd8b99b63f14f7a26bdb673acfde8b851b3eb024914c3d51e8431bdbf4
                              • Opcode Fuzzy Hash: c5090a066b35cf352e457abe229a289034bbde9d354a310561203286fbb15b0e
                              • Instruction Fuzzy Hash: 44B116326106099FE705CF28C486B957FA0FF45368F25C658F8A9CF6A2C375E992CB40
                              Function 6CF3BD98 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF3BDAE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-0
                              • Opcode ID: bb62abcb86578621df99160eb3dd0a5f31df82f4892c7a72cb8b92b67341451a
                              • Instruction ID: d0ba51762f22850a493c9a098e1b57730d874f5432670d41563cbd56fadb615e
                              • Opcode Fuzzy Hash: bb62abcb86578621df99160eb3dd0a5f31df82f4892c7a72cb8b92b67341451a
                              • Instruction Fuzzy Hash: 6E51C0B1E216199FDF05CF59C8913AEB7F8FB49304F20996AC418EB690D3759940CFA0
                              Function 6CF40228 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4515731dc1941b46f90867f62efbca55fa45fd0c33fc09ef5c8e126dfd301a52
                              • Instruction ID: 15d0a11da3d51d0325b94141e7ab37dfdc03698825c97a1af364510dcbe662a0
                              • Opcode Fuzzy Hash: 4515731dc1941b46f90867f62efbca55fa45fd0c33fc09ef5c8e126dfd301a52
                              • Instruction Fuzzy Hash: BB41C2B5805259AFDB10DF69CC88AEABBB8EF45308F1482DDE40DD3641DB349E848F60
                              Function 030134A8 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: ==)6
                              • API String ID: 0-2219475921
                              • Opcode ID: 7918d06344ff2ea8891753728e93b064c2f8ab9ea5d5aecd5866ee5e4c5e3dc3
                              • Instruction ID: e32b026edfdf11939c1a4e0e786a3848e416b3cdf1ce78d5d36eea85ecb2a31f
                              • Opcode Fuzzy Hash: 7918d06344ff2ea8891753728e93b064c2f8ab9ea5d5aecd5866ee5e4c5e3dc3
                              • Instruction Fuzzy Hash: E641D336A51601CFC765CF6DC885A5ABBF1FF84310B1488BAE06ACBA60D234F955CF41
                              Function 030134B8 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID: ==)6
                              • API String ID: 0-2219475921
                              • Opcode ID: 93d9ced522f740ba5de4fbcfc052f0efefde506f18534930f0db2ae6399b24ac
                              • Instruction ID: 010e1e29d93b280ce4d3c95b4aa399e30c523e1fab3305232973394192dd44a3
                              • Opcode Fuzzy Hash: 93d9ced522f740ba5de4fbcfc052f0efefde506f18534930f0db2ae6399b24ac
                              • Instruction Fuzzy Hash: 0D41C235A51615CFC765CB2EC485A1AFBF6FF84310B14C8BAE06ACBA64D234E961CF41
                              Function 6CF4194B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapProcess
                              • String ID:
                              • API String ID: 54951025-0
                              • Opcode ID: 213fa02405cc3797db39cdd404d56bfdf801f12ad3181f7943b0da4eff9aa1bf
                              • Instruction ID: de66ebc89f276c3b65ad4efaab4c36968c7c85bde3327dd97b44200ea189197c
                              • Opcode Fuzzy Hash: 213fa02405cc3797db39cdd404d56bfdf801f12ad3181f7943b0da4eff9aa1bf
                              • Instruction Fuzzy Hash: 2DA00170B25201CFAFD09F3A860A3097AFAAA9AA9574A806EA409C5151EA2585509F52
                              Function 03016708 Relevance: .3, Instructions: 269COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aa9754c4b9bbfe22454affc6afc825f3c9ba83774feb60251852655fc3192372
                              • Instruction ID: e305f616a7c88eb6874cebbc43d952137bcd5e40a1d36c8e638a8dce4e035377
                              • Opcode Fuzzy Hash: aa9754c4b9bbfe22454affc6afc825f3c9ba83774feb60251852655fc3192372
                              • Instruction Fuzzy Hash: 32A10130B152198BCB15CB2CC89153EFBF6AFC5304B68C96AD856DB369C632ED61CB50
                              Function 030166F8 Relevance: .3, Instructions: 268COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3fbdd12a619638c5faeaaf7c3f281f99ccf428695788ad3e430938eb58a262d7
                              • Instruction ID: deaab8941ff12c0348e1efe260f507dadcf399553ca515841ce18d8a04b57013
                              • Opcode Fuzzy Hash: 3fbdd12a619638c5faeaaf7c3f281f99ccf428695788ad3e430938eb58a262d7
                              • Instruction Fuzzy Hash: 83A11130B152198BCB15CB28C89157EFBF6EFC5304B28C96AD856DB369C232ED61CB50
                              Function 03014000 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfb80cab7f255fe31cc55e4013f33ed7fb8da014b02e01cfc95b3b608fff7ac0
                              • Instruction ID: 3b21c40fbd0d496d827c298500fbf1b40980cd51e8f0750d841f0ae606cd486c
                              • Opcode Fuzzy Hash: cfb80cab7f255fe31cc55e4013f33ed7fb8da014b02e01cfc95b3b608fff7ac0
                              • Instruction Fuzzy Hash: 9F419C35F1521A8FCB40CFABC8819AEFBB5FB89340B15C566D815EB720D235DA11CB91
                              Function 03014010 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036484667.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3010000_StrangeOstrumV2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 77997eb7742bac0f61e048b6130a0b673cfa8d0ded6fa19d605e64298e1b0ad2
                              • Instruction ID: c756e2da39d2bdffaa2d054271703e8938455805ff4d3e20627f79d490d932c8
                              • Opcode Fuzzy Hash: 77997eb7742bac0f61e048b6130a0b673cfa8d0ded6fa19d605e64298e1b0ad2
                              • Instruction Fuzzy Hash: A441BC71F1121A8FCB44CFABC9819AEFBF5BB88340B55C426D815EB760D235D911CB91
                              Function 6CF3D60A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 6CF3D729
                              • ___TypeMatch.LIBVCRUNTIME ref: 6CF3D837
                              • _UnwindNestedFrames.LIBCMT ref: 6CF3D989
                              • CallUnexpected.LIBVCRUNTIME ref: 6CF3D9A4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                              • String ID: csm$csm$csm
                              • API String ID: 2751267872-393685449
                              • Opcode ID: 04dd7cb4126d502cbb2dc4d9facd7df26411e0888793374ce00b23cfb3ed407d
                              • Instruction ID: a01426b0547beb31003020d7c4aa15868be8d92c9894be5f610fcc6e4c0e3527
                              • Opcode Fuzzy Hash: 04dd7cb4126d502cbb2dc4d9facd7df26411e0888793374ce00b23cfb3ed407d
                              • Instruction Fuzzy Hash: EEB17B71811229FFCF09DFA4C880A9EBBB5BF44318B15625AE8186BB11D331EA55CFD1
                              Function 6CF3C6B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6CF3C6E7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CF3C6EF
                              • _ValidateLocalCookies.LIBCMT ref: 6CF3C778
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CF3C7A3
                              • _ValidateLocalCookies.LIBCMT ref: 6CF3C7F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 04b890bdc4b15dc4a795d310db3a6eea7813f04a32bd6257f3f587206d00d1e7
                              • Instruction ID: 40cd77e81ea6a71bf7a1b988d71c27cad46eb7fdb881311ecae629e988dd5757
                              • Opcode Fuzzy Hash: 04b890bdc4b15dc4a795d310db3a6eea7813f04a32bd6257f3f587206d00d1e7
                              • Instruction Fuzzy Hash: EE417F34A00239ABCF00EF69C884ADEBBB5AF45328F149656ED189B791D731DA15CBD0
                              Function 6CF4157A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(00000000,?,6CF41689,00000000,6CF3EE90,00000000,00000000,00000001,?,6CF41802,00000022,FlsSetValue,6CF49898,6CF498A0,00000000), ref: 6CF4163B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeLibrary
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3664257935-537541572
                              • Opcode ID: deb5326b53a8cd3eb2b0f99bd273326e71993ec202a7dd2bd44f97e8a5b79730
                              • Instruction ID: f6f74b3cf222e02b782aa2c172517b42fa5f92949a379fc50743e5933a354330
                              • Opcode Fuzzy Hash: deb5326b53a8cd3eb2b0f99bd273326e71993ec202a7dd2bd44f97e8a5b79730
                              • Instruction Fuzzy Hash: DE212B31F15120ABDB119F659C40B8A3F799B42378F29C211E81AE7682DB30EE10C6D1
                              Function 6CF3CC5C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000001,?,6CF3C891,6CF3B9B0,6CF3B3C9,?,6CF3B601,?,00000001,?,?,00000001,?,6CF4D698,0000000C,6CF3B6FA), ref: 6CF3CC6A
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF3CC78
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF3CC91
                              • SetLastError.KERNEL32(00000000,6CF3B601,?,00000001,?,?,00000001,?,6CF4D698,0000000C,6CF3B6FA,?,00000001,?), ref: 6CF3CCE3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: a602f0be81e259d1af516e496e2958fefdd189c33b960172a4fff454180a2d93
                              • Instruction ID: 78f15a140bf73a7f2986327ed634a56c48f8e4767b3f717bc6b01b97ee8b22ec
                              • Opcode Fuzzy Hash: a602f0be81e259d1af516e496e2958fefdd189c33b960172a4fff454180a2d93
                              • Instruction Fuzzy Hash: 2D01F532F392757EAA403A7EAC8474636A4EB437BD730232AE118A5AD0EF114C0482D4
                              Function 6CF407AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                              Download Yara Rule
                              Strings
                              • C:\Users\user\Desktop\StrangeOstrumV2.exe, xrefs: 6CF407CA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: C:\Users\user\Desktop\StrangeOstrumV2.exe
                              • API String ID: 0-3601355902
                              • Opcode ID: 9406b6158293816cc6c0414a1f25baf24769a3296bc730a3bb538e54f21e5cf5
                              • Instruction ID: 323d63efa7b27d757550e0a612c301acf8c909534239a8d1d603809f2f413c45
                              • Opcode Fuzzy Hash: 9406b6158293816cc6c0414a1f25baf24769a3296bc730a3bb538e54f21e5cf5
                              • Instruction Fuzzy Hash: E521D432604285BF8700AF668D90D9B7FA9EF6132C705C924F919D7A42DBB0EC44CBD0
                              Function 6CF3E7BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FD7CA857,00000000,?,00000000,6CF470C2,000000FF,?,6CF3E758,?,?,6CF3E72C,?), ref: 6CF3E7F3
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF3E805
                              • FreeLibrary.KERNEL32(00000000,?,00000000,6CF470C2,000000FF,?,6CF3E758,?,?,6CF3E72C,?), ref: 6CF3E827
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 68233c0ac0c84e3ce4a81ca2ed8f780c31e244249a6d98cc6a22702ef7436e88
                              • Instruction ID: 3ecf9332fc056a9841082c7b15fd337d672fac6c4bbb17b5ac986dab403ee375
                              • Opcode Fuzzy Hash: 68233c0ac0c84e3ce4a81ca2ed8f780c31e244249a6d98cc6a22702ef7436e88
                              • Instruction Fuzzy Hash: 91014F31E21529EFDF11AF94CC04BAE7BB9FF05659F008526E821E2A91DB759900CAD0
                              Function 6CF43235 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                              Download Yara Rule
                              APIs
                              • __alloca_probe_16.LIBCMT ref: 6CF432BA
                              • __alloca_probe_16.LIBCMT ref: 6CF43383
                              • __freea.LIBCMT ref: 6CF433EA
                                • Part of subcall function 6CF423DA: RtlAllocateHeap.NTDLL(00000000,6CF40D27,6CF420F4,?,6CF40D27,00000220,?,?,6CF420F4), ref: 6CF4240C
                              • __freea.LIBCMT ref: 6CF433FD
                              • __freea.LIBCMT ref: 6CF4340A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$__alloca_probe_16$AllocateHeap
                              • String ID:
                              • API String ID: 1423051803-0
                              • Opcode ID: b6a6a7fe6625ae2a5c313867cb8736d4673b53f70da48d6ed9aaf588ae60726b
                              • Instruction ID: 1da23efc0ab472e8cf60452a56045d916131a18805c1abe51c7c04e2ff7df36a
                              • Opcode Fuzzy Hash: b6a6a7fe6625ae2a5c313867cb8736d4673b53f70da48d6ed9aaf588ae60726b
                              • Instruction Fuzzy Hash: F351B372601206ABEB114FA4CC41EFB3EBADF44618F21C128FD14D7A22EB30DD198660
                              Function 6CF3D232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF3D1E3,00000000,?,00000001,?,?,?,6CF3D2D2,00000001,FlsFree,6CF48F70,FlsFree), ref: 6CF3D23F
                              • GetLastError.KERNEL32(?,6CF3D1E3,00000000,?,00000001,?,?,?,6CF3D2D2,00000001,FlsFree,6CF48F70,FlsFree,00000000,?,6CF3CD31), ref: 6CF3D249
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF3D271
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID: api-ms-
                              • API String ID: 3177248105-2084034818
                              • Opcode ID: 3df4a6f5b78787e6ad38694b01ad16e316c959464556e25a6604a624e61fe917
                              • Instruction ID: f792d9af7675f9d41f6b3b4d227ddef5d9fd203ace5eeee32fa351900053f9c5
                              • Opcode Fuzzy Hash: 3df4a6f5b78787e6ad38694b01ad16e316c959464556e25a6604a624e61fe917
                              • Instruction Fuzzy Hash: 6CE04F707A4204B7EF502AB2DC05B4D3F66AB12B59F209022F90DE88D3E772E85086D9
                              Function 6CF43942 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleOutputCP.KERNEL32(FD7CA857,00000000,00000000,?), ref: 6CF439A5
                                • Part of subcall function 6CF4137C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF433E0,?,00000000,-00000008), ref: 6CF413DD
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF43BF7
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF43C3D
                              • GetLastError.KERNEL32 ref: 6CF43CE0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                              • String ID:
                              • API String ID: 2112829910-0
                              • Opcode ID: b13f720945e859294b9a5263217713a7e2d26fd77b4b794aebcc327318933a8e
                              • Instruction ID: ff19131aa50a73224d717cc63c65b536109130b4f614b6436ad43e2da3cd20bd
                              • Opcode Fuzzy Hash: b13f720945e859294b9a5263217713a7e2d26fd77b4b794aebcc327318933a8e
                              • Instruction Fuzzy Hash: 23D16975E04258AFDF05CFA8C880AADBBB5FF09314F24816AE525EB752D730A949CB50
                              Function 6CF3D3B3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: 086dd63d92777056c6588987b6e50a7aa256b4936262fc9aa34407b912987dc4
                              • Instruction ID: d79c26ed2b31e8be0789701c5c35bbe5b652c0deaf8196aefba5e1aa41d16deb
                              • Opcode Fuzzy Hash: 086dd63d92777056c6588987b6e50a7aa256b4936262fc9aa34407b912987dc4
                              • Instruction Fuzzy Hash: 1851C072616626BFEB158F54D840BAA77B4EF01318F20552AE91D87B90E731F980CBD0
                              Function 6CF3FFC8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6CF4137C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF433E0,?,00000000,-00000008), ref: 6CF413DD
                              • GetLastError.KERNEL32 ref: 6CF4002C
                              • __dosmaperr.LIBCMT ref: 6CF40033
                              • GetLastError.KERNEL32(?,?,?,?), ref: 6CF4006D
                              • __dosmaperr.LIBCMT ref: 6CF40074
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                              • String ID:
                              • API String ID: 1913693674-0
                              • Opcode ID: 128d8da02a5b0ddeec16886edeb0a7f640b6fedb5371308d6f20543810bf1b79
                              • Instruction ID: 57304e5263e87a5f482ea733d5b020f40c32a3519589d5df93a3149989a612b4
                              • Opcode Fuzzy Hash: 128d8da02a5b0ddeec16886edeb0a7f640b6fedb5371308d6f20543810bf1b79
                              • Instruction Fuzzy Hash: 33210732604255BFDB10AF7A8890D9BBBB9FF5136D704C619E81D87E42D7B0EC448B90
                              Function 6CF4141F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 6CF41427
                                • Part of subcall function 6CF4137C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF433E0,?,00000000,-00000008), ref: 6CF413DD
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF4145F
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF4147F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                              • String ID:
                              • API String ID: 158306478-0
                              • Opcode ID: ff2b63661a48e51b4104dded13db88c5d3bdb53599942a9d6c93bd32099d6965
                              • Instruction ID: d2973622d880eb9f36ce77d231084426ff2c58267a1876e23f713d05e6d133a1
                              • Opcode Fuzzy Hash: ff2b63661a48e51b4104dded13db88c5d3bdb53599942a9d6c93bd32099d6965
                              • Instruction Fuzzy Hash: A0112BB2911A157FA71167B58C88DEF7D7CCF971AC310C116F802D1A42EB34DD5481B0
                              Function 6CF452B6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF44A76,00000000,00000001,00000000,?,?,6CF43D34,?,00000000,00000000), ref: 6CF452CD
                              • GetLastError.KERNEL32(?,6CF44A76,00000000,00000001,00000000,?,?,6CF43D34,?,00000000,00000000,?,?,?,6CF442D7,00000000), ref: 6CF452D9
                                • Part of subcall function 6CF4529F: CloseHandle.KERNEL32(FFFFFFFE,6CF452E9,?,6CF44A76,00000000,00000001,00000000,?,?,6CF43D34,?,00000000,00000000,?,?), ref: 6CF452AF
                              • ___initconout.LIBCMT ref: 6CF452E9
                                • Part of subcall function 6CF45261: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF45290,6CF44A63,?,?,6CF43D34,?,00000000,00000000,?), ref: 6CF45274
                              • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF44A76,00000000,00000001,00000000,?,?,6CF43D34,?,00000000,00000000,?), ref: 6CF452FE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: dc42e1905c0f672fc36c0aa5e21abec89e71170d168544ba39ccf6b9861c34dd
                              • Instruction ID: 8330a65218d838c8e6a4f2fd794d4430aa49673286d2b5c056f349e3bbb10a65
                              • Opcode Fuzzy Hash: dc42e1905c0f672fc36c0aa5e21abec89e71170d168544ba39ccf6b9861c34dd
                              • Instruction Fuzzy Hash: 6EF0A236610158BBCF922FA5DC04B993F77FB06765B158111FA1D95625C7328920DB90
                              Function 6CF3D9AF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • EncodePointer.KERNEL32(00000000,?), ref: 6CF3D9D4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2039470838.000000006CF31000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF30000, based on PE: true
                              • Associated: 00000000.00000002.2039456362.000000006CF30000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039497561.000000006CF48000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF4F000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039515330.000000006CF81000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000000.00000002.2039589574.000000006CF9A000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cf30000_StrangeOstrumV2.jbxd
                              Yara matches
                              Similarity
                              • API ID: EncodePointer
                              • String ID: MOC$RCC
                              • API String ID: 2118026453-2084237596
                              • Opcode ID: 9525f503b853d0146b6bd4a4bcc4976b81cf258b138c1e0767af64a2a5ba9404
                              • Instruction ID: 16e2b30fefac59afc8c835787731c469624533ac189cbce371badac3aab63982
                              • Opcode Fuzzy Hash: 9525f503b853d0146b6bd4a4bcc4976b81cf258b138c1e0767af64a2a5ba9404
                              • Instruction Fuzzy Hash: CF419C71904229BFCF0ACF98CD80AEE7BB5FF48708F149159F918A7612D3359950DBA0

                              Execution Graph

                              Execution Coverage:6.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:52
                              Total number of Limit Nodes:9
                              execution_graph 16773 f84668 16774 f84684 16773->16774 16775 f84696 16774->16775 16777 f847a0 16774->16777 16778 f847c5 16777->16778 16782 f848b0 16778->16782 16786 f848a1 16778->16786 16783 f848d7 16782->16783 16784 f849b4 16783->16784 16790 f84248 16783->16790 16788 f848d7 16786->16788 16787 f849b4 16788->16787 16789 f84248 CreateActCtxA 16788->16789 16789->16787 16791 f85940 CreateActCtxA 16790->16791 16793 f85a03 16791->16793 16794 f8d0b8 16795 f8d0fe GetCurrentProcess 16794->16795 16797 f8d149 16795->16797 16798 f8d150 GetCurrentThread 16795->16798 16797->16798 16799 f8d18d GetCurrentProcess 16798->16799 16800 f8d186 16798->16800 16803 f8d1c3 16799->16803 16800->16799 16801 f8d1eb GetCurrentThreadId 16802 f8d21c 16801->16802 16803->16801 16804 f8ad38 16808 f8ae30 16804->16808 16816 f8ae20 16804->16816 16805 f8ad47 16809 f8ae41 16808->16809 16810 f8ae64 16808->16810 16809->16810 16824 f8b0c8 16809->16824 16828 f8b0b8 16809->16828 16810->16805 16811 f8ae5c 16811->16810 16812 f8b068 GetModuleHandleW 16811->16812 16813 f8b095 16812->16813 16813->16805 16817 f8ae41 16816->16817 16818 f8ae64 16816->16818 16817->16818 16822 f8b0c8 LoadLibraryExW 16817->16822 16823 f8b0b8 LoadLibraryExW 16817->16823 16818->16805 16819 f8ae5c 16819->16818 16820 f8b068 GetModuleHandleW 16819->16820 16821 f8b095 16820->16821 16821->16805 16822->16819 16823->16819 16825 f8b0dc 16824->16825 16826 f8b101 16825->16826 16832 f8a870 16825->16832 16826->16811 16829 f8b0dc 16828->16829 16830 f8a870 LoadLibraryExW 16829->16830 16831 f8b101 16829->16831 16830->16831 16831->16811 16833 f8b2a8 LoadLibraryExW 16832->16833 16835 f8b321 16833->16835 16835->16826 16836 f8d300 DuplicateHandle 16837 f8d396 16836->16837

                              Executed Functions

                              Function 00F8D0A8 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 294 f8d0a8-f8d147 GetCurrentProcess 298 f8d149-f8d14f 294->298 299 f8d150-f8d184 GetCurrentThread 294->299 298->299 300 f8d18d-f8d1c1 GetCurrentProcess 299->300 301 f8d186-f8d18c 299->301 303 f8d1ca-f8d1e5 call f8d289 300->303 304 f8d1c3-f8d1c9 300->304 301->300 307 f8d1eb-f8d21a GetCurrentThreadId 303->307 304->303 308 f8d21c-f8d222 307->308 309 f8d223-f8d285 307->309 308->309
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00F8D136
                              • GetCurrentThread.KERNEL32 ref: 00F8D173
                              • GetCurrentProcess.KERNEL32 ref: 00F8D1B0
                              • GetCurrentThreadId.KERNEL32 ref: 00F8D209
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: cfdc2a0c0b4f7ad8989a2c7f9cae22eba14fb65e7395e9f0696e79b127effd06
                              • Instruction ID: a4b8134dd72a5bbb7657b8c93854d460d997102da207530e18046503fee77c4d
                              • Opcode Fuzzy Hash: cfdc2a0c0b4f7ad8989a2c7f9cae22eba14fb65e7395e9f0696e79b127effd06
                              • Instruction Fuzzy Hash: 075166B0D006098FDB04DFA9D94879EBBF1EF88314F208459E409A73A1DB34A985CB25
                              Function 00F8D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 316 f8d0b8-f8d147 GetCurrentProcess 320 f8d149-f8d14f 316->320 321 f8d150-f8d184 GetCurrentThread 316->321 320->321 322 f8d18d-f8d1c1 GetCurrentProcess 321->322 323 f8d186-f8d18c 321->323 325 f8d1ca-f8d1e5 call f8d289 322->325 326 f8d1c3-f8d1c9 322->326 323->322 329 f8d1eb-f8d21a GetCurrentThreadId 325->329 326->325 330 f8d21c-f8d222 329->330 331 f8d223-f8d285 329->331 330->331
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00F8D136
                              • GetCurrentThread.KERNEL32 ref: 00F8D173
                              • GetCurrentProcess.KERNEL32 ref: 00F8D1B0
                              • GetCurrentThreadId.KERNEL32 ref: 00F8D209
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: ab738efd0a4da947361cbce8a4bad6a24d1b736cad386a6885d5389a85d0a19f
                              • Instruction ID: 9cb45b584d4445dae843ee4b98921a4abd15386bf03f731cb4342513d55af946
                              • Opcode Fuzzy Hash: ab738efd0a4da947361cbce8a4bad6a24d1b736cad386a6885d5389a85d0a19f
                              • Instruction Fuzzy Hash: D95159B0D007098FDB14DFA9D948BDEBBF1EF88314F208459E419A73A0DB74A945CB65
                              Function 00F8AE30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 338 f8ae30-f8ae3f 339 f8ae6b-f8ae6f 338->339 340 f8ae41-f8ae4e call f89838 338->340 341 f8ae71-f8ae7b 339->341 342 f8ae83-f8aec4 339->342 347 f8ae50 340->347 348 f8ae64 340->348 341->342 349 f8aed1-f8aedf 342->349 350 f8aec6-f8aece 342->350 395 f8ae56 call f8b0c8 347->395 396 f8ae56 call f8b0b8 347->396 348->339 351 f8aee1-f8aee6 349->351 352 f8af03-f8af05 349->352 350->349 355 f8aee8-f8aeef call f8a814 351->355 356 f8aef1 351->356 354 f8af08-f8af0f 352->354 353 f8ae5c-f8ae5e 353->348 357 f8afa0-f8afb7 353->357 358 f8af1c-f8af23 354->358 359 f8af11-f8af19 354->359 361 f8aef3-f8af01 355->361 356->361 371 f8afb9-f8b018 357->371 362 f8af30-f8af39 call f8a824 358->362 363 f8af25-f8af2d 358->363 359->358 361->354 369 f8af3b-f8af43 362->369 370 f8af46-f8af4b 362->370 363->362 369->370 372 f8af69-f8af76 370->372 373 f8af4d-f8af54 370->373 389 f8b01a-f8b060 371->389 378 f8af78-f8af96 372->378 379 f8af99-f8af9f 372->379 373->372 374 f8af56-f8af66 call f8a834 call f8a844 373->374 374->372 378->379 390 f8b068-f8b093 GetModuleHandleW 389->390 391 f8b062-f8b065 389->391 392 f8b09c-f8b0b0 390->392 393 f8b095-f8b09b 390->393 391->390 393->392 395->353 396->353
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8B086
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID: U$U
                              • API String ID: 4139908857-3302002139
                              • Opcode ID: b45858d8aa3381b84b6bc27d9f744ba1f645d60840ccea74f1b80b4270ccc8db
                              • Instruction ID: ac342eda1974d392928508c980412cac883c438f31cc83a758f09d86b330d826
                              • Opcode Fuzzy Hash: b45858d8aa3381b84b6bc27d9f744ba1f645d60840ccea74f1b80b4270ccc8db
                              • Instruction Fuzzy Hash: 7D714AB0A00B058FE724EF2AD44579ABBF1FF88310F10892EE446D7A50D775E946DB91
                              Function 00F85935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 449 f85935-f85a01 CreateActCtxA 451 f85a0a-f85a64 449->451 452 f85a03-f85a09 449->452 459 f85a73-f85a77 451->459 460 f85a66-f85a69 451->460 452->451 461 f85a88 459->461 462 f85a79-f85a85 459->462 460->459 464 f85a89 461->464 462->461 464->464
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00F859F1
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 0d694b8c53762bc8451ab92ffdd1ffb62199b86d57ccb82779b365093b7db01a
                              • Instruction ID: 04b855a2beb998d5c02afb72c4c950b889478902b49ff4a42b451532dacfc1ca
                              • Opcode Fuzzy Hash: 0d694b8c53762bc8451ab92ffdd1ffb62199b86d57ccb82779b365093b7db01a
                              • Instruction Fuzzy Hash: 1A41EEB0D00619CFDB24DFA9C884ADEBBB5FF49704F20816AD408AB251DB75694ACF91
                              Function 00F84248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 465 f84248-f85a01 CreateActCtxA 468 f85a0a-f85a64 465->468 469 f85a03-f85a09 465->469 476 f85a73-f85a77 468->476 477 f85a66-f85a69 468->477 469->468 478 f85a88 476->478 479 f85a79-f85a85 476->479 477->476 481 f85a89 478->481 479->478 481->481
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00F859F1
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: d5e815b8b5428a3963d47a41fdc98b848c18a03285ff4cfcb225ac4539e94272
                              • Instruction ID: bd613aad84a5c251e9659ca78c3b003e4aeed06ed293a6739ff48854a266322d
                              • Opcode Fuzzy Hash: d5e815b8b5428a3963d47a41fdc98b848c18a03285ff4cfcb225ac4539e94272
                              • Instruction Fuzzy Hash: B341DFB0D00619CBDB24DFA9C884BCEBBB5FF49704F20816AD408AB255DB75A949CF91
                              Function 00F8D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 482 f8d300-f8d394 DuplicateHandle 483 f8d39d-f8d3ba 482->483 484 f8d396-f8d39c 482->484 484->483
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8D387
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 5793e10e1610f3755ed1cfcb464604fb8857c23547fa1fb80e08d5b2c17204b2
                              • Instruction ID: 18be361bde86fbba9ac55c6983b2d99588e4cd73a2dc6aea2de5a42c48166a17
                              • Opcode Fuzzy Hash: 5793e10e1610f3755ed1cfcb464604fb8857c23547fa1fb80e08d5b2c17204b2
                              • Instruction Fuzzy Hash: D921E4B5D002099FDB10CF9AD484ADEBBF8EB48310F14841AE918A3350C374A954CFA5
                              Function 00F8D2F9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 487 f8d2f9-f8d394 DuplicateHandle 488 f8d39d-f8d3ba 487->488 489 f8d396-f8d39c 487->489 489->488
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8D387
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 5bf2dc2ca8bf5642db2028edd38174f642393653a394d93561736783353ee959
                              • Instruction ID: cd226663d8c8c8cc2a8bd7e39aca54ea3fa49a6bf48ae245e267bd32ed0ec305
                              • Opcode Fuzzy Hash: 5bf2dc2ca8bf5642db2028edd38174f642393653a394d93561736783353ee959
                              • Instruction Fuzzy Hash: DA21F3B5D00209DFDB10CFA9E584ADEBBF5FB48310F14841AE918A3351C374A954CF65
                              Function 00F8A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 492 f8a870-f8b2e8 494 f8b2ea-f8b2ed 492->494 495 f8b2f0-f8b31f LoadLibraryExW 492->495 494->495 496 f8b328-f8b345 495->496 497 f8b321-f8b327 495->497 497->496
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8B101,00000800,00000000,00000000), ref: 00F8B312
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 5e9b126c5c8015771dbadc3837baa30ce8ee26bcddfc7cee3c5b4ea50d768d08
                              • Instruction ID: 1daff7dce724285442475f23c0105faa41b36b577ca6ecc3681b614ef8835f48
                              • Opcode Fuzzy Hash: 5e9b126c5c8015771dbadc3837baa30ce8ee26bcddfc7cee3c5b4ea50d768d08
                              • Instruction Fuzzy Hash: E11103B6D003498FCB20DF9AD444ADEFBF4EB88321F10842AE419A7211C375A945CFA5
                              Function 00F8B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 500 f8b2a0-f8b2e8 501 f8b2ea-f8b2ed 500->501 502 f8b2f0-f8b31f LoadLibraryExW 500->502 501->502 503 f8b328-f8b345 502->503 504 f8b321-f8b327 502->504 504->503
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8B101,00000800,00000000,00000000), ref: 00F8B312
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 5b3524e0292a7f1c7427358e861790a6bff99a661d79eac138828afb5f42fb3a
                              • Instruction ID: 0a66053f8581ea208b9f5fabf73e54967244ade473fe98f5bfd4ead5734c3546
                              • Opcode Fuzzy Hash: 5b3524e0292a7f1c7427358e861790a6bff99a661d79eac138828afb5f42fb3a
                              • Instruction Fuzzy Hash: E411E2B6D003498FDB20DF9AD444ADEFBF4EB88320F10842AD529A7650C379A945CFA5
                              Function 00F8B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 507 f8b020-f8b060 508 f8b068-f8b093 GetModuleHandleW 507->508 509 f8b062-f8b065 507->509 510 f8b09c-f8b0b0 508->510 511 f8b095-f8b09b 508->511 509->508 511->510
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8B086
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131324141.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_f80000_MSBuild.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 268778125e727e68481269bfff25712f9c17a3ad33be987e70122c8f1e3a28f7
                              • Instruction ID: 6c718c61e4fd311e5ae20c73395624467549483b4ef40d7c0bc2167e8eda1201
                              • Opcode Fuzzy Hash: 268778125e727e68481269bfff25712f9c17a3ad33be987e70122c8f1e3a28f7
                              • Instruction Fuzzy Hash: 6D11E0B5D003498FCB20DF9AD444ADEFBF4EB89320F10841AD429B7611D375A549CFA5
                              Function 00E4D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131001207.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_e4d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8c47e704327e3db4e10ef6fb204106192c29bbc0d92c93751c70a228f2cbb3b
                              • Instruction ID: df9f8db610f2f2176806c796ea0082a30993ee8f64ca2a519bb6b4cbebc0d469
                              • Opcode Fuzzy Hash: b8c47e704327e3db4e10ef6fb204106192c29bbc0d92c93751c70a228f2cbb3b
                              • Instruction Fuzzy Hash: CC2125B1608240DFDB05DF14EDC0B26BF65FB98318F34C569E9091B256C73AD816CAA1
                              Function 00E4D3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131001207.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_e4d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 46e8c1bc95c2971234e7ee2c3f19ba3968471156e2a0821977fc31be6e1fbbc4
                              • Instruction ID: 3d3c52011a64d00e26b719dac1a096b8b7d2d79650f32fcb3f234354b4ed9189
                              • Opcode Fuzzy Hash: 46e8c1bc95c2971234e7ee2c3f19ba3968471156e2a0821977fc31be6e1fbbc4
                              • Instruction Fuzzy Hash: 242128B1508204DFDB05DF14EDC0B16BF65FB94324F24C56DE9095B256C33AE856C6A1
                              Function 00E5D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131039716.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_e5d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69fc0eaf9350fd7f4dcb634b5a96d484f91f4dbb61cd42356e209958050fabda
                              • Instruction ID: 2b7e7ce3c03d3623e65147209c9f1d3936367e9b20d1c69f0b9bdebd74f1e446
                              • Opcode Fuzzy Hash: 69fc0eaf9350fd7f4dcb634b5a96d484f91f4dbb61cd42356e209958050fabda
                              • Instruction Fuzzy Hash: D821F571508240DFDB24DF14D9C4B16BB66EB84319F34C96DDD0A5B296C33AD80BCA61
                              Function 00E5D005 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131039716.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_e5d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9224bf32133ea0c5b9f4639f4abd2b0626ff5c722269f7887d742ce1865a527c
                              • Instruction ID: 528ff6f69d21ba23cc36b428d2da720aa23deb7939229c7b6c7a5951ba3a4ccb
                              • Opcode Fuzzy Hash: 9224bf32133ea0c5b9f4639f4abd2b0626ff5c722269f7887d742ce1865a527c
                              • Instruction Fuzzy Hash: 1A21537550D3808FDB12CF24D994715BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                              Function 00E4D3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131001207.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_e4d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                              • Instruction ID: d6762d15ee1cc1527c4845aa5d80ce91a09c1b4763ca8c5f2db4987071c37187
                              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                              • Instruction Fuzzy Hash: B8112676404240CFCB12CF10E9C4B16BF71FB94324F24C2A9D8090B656C33AE85ACBA1
                              Function 00E4D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.2131001207.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_e4d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                              • Instruction ID: 198981087ae77ad3f41f5d87fab690c5ec5c8fdf58fe61f405777c2fa953e5ee
                              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                              • Instruction Fuzzy Hash: 5711E976504240CFCB15CF14E9C4B16BF71FB94318F24C5A9D8494B656C33AD456CBA1