Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nuCc19sDOl.exe

Overview

General Information

Sample name:nuCc19sDOl.exe
renamed because original name is a hash value
Original sample name:01e059b3901bd579fb8ea4ebc34009f9.exe
Analysis ID:1483425
MD5:01e059b3901bd579fb8ea4ebc34009f9
SHA1:19b0a2db06db2afbef2b95221d2c11fe4107aa43
SHA256:05e5cab97709be490b7216163e29d326f43d4f273bdfccf93a485212064b4aca
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • nuCc19sDOl.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\nuCc19sDOl.exe" MD5: 01E059B3901BD579FB8EA4EBC34009F9)
    • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 6864 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.92.213:46419", "Bot Id": "478596", "Authorization Header": "d409ddacd5400779d74f75370da84208"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1818185346.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.nuCc19sDOl.exe.6cf79000.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.MSBuild.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.nuCc19sDOl.exe.6cf79000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.nuCc19sDOl.exe.6cf50000.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        No Snort rule has matched

                        Suricata Signatures

                        Timestamp:2024-07-27T12:12:06.512543+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:55.686346+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49737
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:06.733994+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:09.445963+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:06.259979+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:11.913475+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:00.321853+0200
                        SID:2043234
                        Source Port:46419
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:06.963750+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:09.826085+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:09.188597+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:11.052524+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:08.253192+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:09.726434+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:10.122926+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:05.370389+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:06.037205+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:07.886941+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:17.533976+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49731
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:05.827728+0200
                        SID:2046056
                        Source Port:46419
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:08.755787+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:08.971532+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:05.822240+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:12.155240+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:11.480008+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:10.128355+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:08.534683+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:11.270445+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:00.115561+0200
                        SID:2046045
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T12:12:11.697363+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: nuCc19sDOl.exeAvira: detected
                        Found malware configuration
                        Source: 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.92.213:46419", "Bot Id": "478596", "Authorization Header": "d409ddacd5400779d74f75370da84208"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllReversingLabs: Detection: 87%
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllVirustotal: Detection: 72%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: nuCc19sDOl.exeReversingLabs: Detection: 73%
                        Source: nuCc19sDOl.exeVirustotal: Detection: 45%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: nuCc19sDOl.exeJoe Sandbox ML: detected
                        Source: nuCc19sDOl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: nuCc19sDOl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: WINLOA~1.PDBIEnloh source: MSBuild.exe, 00000002.00000002.1827440717.00000000052B0000.00000004.00000020.00020000.00000000.sdmp
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06A00538h2_2_06A00040

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 5.42.92.213:46419
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 5.42.92.213:46419
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002A6F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: nuCc19sDOl.exe, nuCc19sDOl.exe, 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1818185346.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443

                        System Summary

                        barindex
                        .NET source code contains very large array initializations
                        Source: nuCc19sDOl.exe, -Module-.csLarge array initialization: _206A_200E_202C_200D_200D_202A_206E_200F_200F_202A_200C_200D_200F_206B_206D_202E_206E_202D_206A_202D_200D_202D_202B_200D_206C_202B_206B_202B_202B_206F_200B_206D_200B_206E_206C_206E_200C_202D_206D_202D_202E: array initializer size 51520
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF575A0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_6CF575A0
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF575A00_2_6CF575A0
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF57A600_2_6CF57A60
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF512300_2_6CF51230
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF650E00_2_6CF650E0
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF70BB50_2_6CF70BB5
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF7EB170_2_6CF7EB17
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B10700_2_017B1070
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B25280_2_017B2528
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B09720_2_017B0972
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B09270_2_017B0927
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B39F00_2_017B39F0
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B39E00_2_017B39E0
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B10530_2_017B1053
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B08DF0_2_017B08DF
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B0A870_2_017B0A87
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B25180_2_017B2518
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B0C400_2_017B0C40
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B24E70_2_017B24E7
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_017B2E700_2_017B2E70
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_0AF047480_2_0AF04748
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_0AF043880_2_0AF04388
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0261DC742_2_0261DC74
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_04E68D282_2_04E68D28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_04E669482_2_04E66948
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_04E600402_2_04E60040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_04E6001F2_2_04E6001F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_04E68D182_2_04E68D18
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A0F3582_2_06A0F358
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A080C82_2_06A080C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A000402_2_06A00040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A021182_2_06A02118
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A02D282_2_06A02D28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A0BA202_2_06A0BA20
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: String function: 6CF66140 appears 33 times
                        Source: nuCc19sDOl.exe, 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameCaftans.exe8 vs nuCc19sDOl.exe
                        Source: nuCc19sDOl.exe, 00000000.00000002.1680819190.00000000012CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nuCc19sDOl.exe
                        Source: nuCc19sDOl.exe, 00000000.00000000.1675792653.0000000000D72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCharlie846Ian.txtP vs nuCc19sDOl.exe
                        Source: nuCc19sDOl.exeBinary or memory string: OriginalFilenameCharlie846Ian.txtP vs nuCc19sDOl.exe
                        Source: nuCc19sDOl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
                        Source: nuCc19sDOl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: nuCc19sDOl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: nuCc19sDOl.exeReversingLabs: Detection: 73%
                        Source: nuCc19sDOl.exeVirustotal: Detection: 45%
                        Source: unknownProcess created: C:\Users\user\Desktop\nuCc19sDOl.exe "C:\Users\user\Desktop\nuCc19sDOl.exe"
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: nuCc19sDOl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: nuCc19sDOl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: WINLOA~1.PDBIEnloh source: MSBuild.exe, 00000002.00000002.1827440717.00000000052B0000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: nuCc19sDOl.exe, -Module-.cs.Net Code: _206F_200C_200B_200F_200C_200B_202C_206A_202B_206D_202D_206C_200F_202C_206E_206C_202E_206D_200D_202E_200D_200F_202A_206E_200B_202B_202D_202B_200E_200C_206A_200B_206B_202E_206E_202B_206C_200D_200C_200D_202E System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF712E4 push ecx; ret 0_2_6CF712F7
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF79180 pushfd ; iretd 0_2_6CF79181
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF7EB17 push es; retf 0_2_6CF7EB12
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_0AEF071E push esp; retf 0_2_0AEF071F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_04E6D912 push eax; ret 2_2_04E6D921
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A0B89B push FFFFFF8Bh; iretd 2_2_06A0B89E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A0B8E0 push FFFFFF8Bh; iretd 2_2_06A0B8E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A0B924 push FFFFFF8Bh; iretd 2_2_06A0B92E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06A0B97E push FFFFFF8Bh; iretd 2_2_06A0B982
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: nuCc19sDOl.exe PID: 6652, type: MEMORYSTR
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 5710000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 6710000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 6840000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 7840000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 7BE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 8BE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: 9BE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2092Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5351Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7028Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6908Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: nuCc19sDOl.exe, 00000000.00000002.1682491863.0000000004C8F000.00000004.00000800.00020000.00000000.sdmp, d3d9.dll.0.drBinary or memory string: DQEMu
                        Source: MSBuild.exe, 00000002.00000002.1818477267.0000000000B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF65FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF65FCA
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF6BD3B GetProcessHeap,0_2_6CF6BD3B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF65AF1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CF65AF1
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF65FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF65FCA
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF69F67 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF69F67
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF57A60 HuaweiShare,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,0_2_6CF57A60
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 74C008Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF66188 cpuid 0_2_6CF66188
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeQueries volume information: C:\Users\user\Desktop\nuCc19sDOl.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\nuCc19sDOl.exeCode function: 0_2_6CF65C13 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CF65C13
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.nuCc19sDOl.exe.6cf79000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.nuCc19sDOl.exe.6cf79000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.nuCc19sDOl.exe.6cf50000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1818185346.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: nuCc19sDOl.exe PID: 6652, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6864, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR^q
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR^q
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^q
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR^q
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^qdC:\Users\user\AppData\Roaming\Binance
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^q
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^qD
                        Source: MSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6864, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.nuCc19sDOl.exe.6cf79000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.nuCc19sDOl.exe.6cf79000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.nuCc19sDOl.exe.6cf50000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1818185346.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: nuCc19sDOl.exe PID: 6652, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6864, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		12
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory341
                        Security Software Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials124
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        nuCc19sDOl.exe74%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                        nuCc19sDOl.exe46%VirustotalBrowse
                        nuCc19sDOl.exe100%AviraHEUR/AGEN.1310947
                        nuCc19sDOl.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\d3d9.dll100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\d3d9.dll88%ReversingLabsWin32.Trojan.LummaStealer
                        C:\Users\user\AppData\Roaming\d3d9.dll73%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        bg.microsoft.map.fastly.net0%VirustotalBrowse
                        fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                        http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                        http://tempuri.org/Entity/Id40%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id5ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15V0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                        http://tempuri.org/Entity/Id11ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalseunknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalseunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15VMSBuild.exe, 00000002.00000002.1819320060.0000000002B5D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id9MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id4MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id7MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ip.sb/ipnuCc19sDOl.exe, nuCc19sDOl.exe, 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1818185346.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id20MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id22MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id24MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDMSBuild.exe, 00000002.00000002.1819320060.0000000002A6F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id12MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id14MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id18MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDMSBuild.exe, 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDMSBuild.exe, 00000002.00000002.1819320060.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseMSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1819320060.0000000002A77000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000002.00000002.1819320060.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseDMSBuild.exe, 00000002.00000002.1819320060.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1MSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trustMSBuild.exe, 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        5.42.92.213
                        		unknownRussian Federation
                        		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1483425
                        Start date and time:2024-07-27 12:11:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 47s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:nuCc19sDOl.exe
                        renamed because original name is a hash value
                        Original Sample Name:01e059b3901bd579fb8ea4ebc34009f9.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 54
                        • Number of non-executed functions: 29
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.114.59.183, 199.232.214.172, 192.229.221.95, 20.242.39.171, 52.165.164.15
                        • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        06:12:06API Interceptor38x Sleep call for process: MSBuild.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        fp2e7a.wpc.phicdn.netd34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        Mu7iyblZk8.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                        • 192.229.221.95
                        d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                        • 192.229.221.95
                        Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 192.229.221.95
                        https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1Get hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        x.ps1Get hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        invoker.ps1Get hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        bg.microsoft.map.fastly.netd34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        QIKiV83Pkl.exeGet hashmaliciousDCRatBrowse
                        • 199.232.214.172
                        41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                        • 199.232.210.172
                        Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        oz9Blof9tN.msiGet hashmaliciousCobaltStrikeBrowse
                        • 199.232.214.172
                        QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 199.232.210.172
                        invoker.ps1Get hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        http://investors.spotify.com.th.wuush.us.kg/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        http://cache.netflix.com.sg3.wuush.us.kg/Get hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        http://apple.vn377.com/Get hashmaliciousUnknownBrowse
                        • 199.232.214.172

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRULisectAVT_2403002A_199.exeGet hashmaliciousRedLineBrowse
                        • 5.42.65.68
                        LisectAVT_2403002A_240.exeGet hashmaliciousRisePro StealerBrowse
                        • 5.42.65.117
                        LisectAVT_2403002A_240.exeGet hashmaliciousRisePro StealerBrowse
                        • 5.42.65.117
                        LisectAVT_2403002A_422.exeGet hashmaliciousRedLineBrowse
                        • 5.42.65.68
                        LisectAVT_2403002B_301.exeGet hashmaliciousBdaejec, GCleanerBrowse
                        • 5.42.65.115
                        LisectAVT_2403002B_98.exeGet hashmaliciousBdaejec, GCleaner, NymaimBrowse
                        • 5.42.64.3
                        LisectAVT_2403002C_44.exeGet hashmaliciousEICARBrowse
                        • 5.42.96.78
                        LisectAVT_2403002C_45.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                        • 5.42.65.68
                        LisectAVT_2403002A_479.exeGet hashmaliciousRisePro StealerBrowse
                        • 5.42.65.117
                        7d69f17f.exeGet hashmaliciousRedLineBrowse
                        • 45.15.156.186

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3094
                        Entropy (8bit):5.33145931749415
                        Encrypted:false
                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                        MD5:3FD5C0634443FB2EF2796B9636159CB6
                        SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                        SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                        SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nuCc19sDOl.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\nuCc19sDOl.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):42
                        Entropy (8bit):4.0050635535766075
                        Encrypted:false
                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                        C:\Users\user\AppData\Roaming\d3d9.dll

                        Download File
                        Process:C:\Users\user\Desktop\nuCc19sDOl.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):474112
                        Entropy (8bit):6.079874930357952
                        Encrypted:false
                        SSDEEP:12288:ftPYiCgkpxunuWo1jrKrAahMAFfyUImDCjN:ftPYiCX0IjrKrAahzvImDC
                        MD5:27A834D436810EE96B12694BEFDB3B43
                        SHA1:D6FFDD44C46DB61F62A9DF2998DE8FA3B201F056
                        SHA-256:F10655DED0EF7FAF5E2044747589333F3A04A36DBD7890903DA55F0C44E382D2
                        SHA-512:911276F8F2DBB597710C1F94973A98C5E2E8283CA99831AB5E62BA58B3EDE9FB4CC42EC98880BCF16D30F8E85751AD889382D186D31F6EF41655CC0E3A730E7A
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 88%
                        • Antivirus: Virustotal, Detection: 73%, Browse
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L....(.f...........!...&.....<.......Z....... ...............................p............@.........................@...T.......<............................P......`u...............................t..@............ ..P............................text...3........................... ..`.rdata..2h... ...j..................@..@.data...T............t..............@....reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):6.725005035511834
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:nuCc19sDOl.exe
                        File size:625'152 bytes
                        MD5:01e059b3901bd579fb8ea4ebc34009f9
                        SHA1:19b0a2db06db2afbef2b95221d2c11fe4107aa43
                        SHA256:05e5cab97709be490b7216163e29d326f43d4f273bdfccf93a485212064b4aca
                        SHA512:05883c1f726dfba182b7d9cfa290d77ba74d3ce2985a1718f16a22744edadab2e3afc1793c4a3f54368d5ef7cdacb9e1babd31f38d493fbbc01d853c9a2be3af
                        SSDEEP:12288:4JP/raKAKMPNmB+owvLgT9DBGZLZ9i9OurXl5AFy7t9kHtFn7S9F+nI7WU15TOY1:4/AHPQB+hIBG1kOH6
                        TLSH:61D42DDD765072DFC85BC972CEA81C68EA5034BB871B9203906719EDDA5E89BCF140F2
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.f.................~..........^.... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x499d5e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows cui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x669D28CF [Sun Jul 21 15:27:11 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x99d080x53.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x688.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x97d640x97e00ab7c224893805d7176f0f9f899a3ef75False0.6113554526748971data6.731080317743544IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x9a0000x6880x8009bc5dfd6bf6476c433eaea498b1218eeFalse0.35302734375data3.635968076664953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x9c0000xc0x2005e5aec80690ad0a08256d137cd4bdf18False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x9a0a00x3fcdata0.4088235294117647
                        RT_MANIFEST0x9a49c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-27T12:12:06.512543+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:55.686346+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973720.114.59.183192.168.2.4
                        2024-07-27T12:12:06.733994+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:09.445963+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:06.259979+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:11.913475+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:00.321853+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response46419497305.42.92.213192.168.2.4
                        2024-07-27T12:12:06.963750+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:09.826085+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:09.188597+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:11.052524+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:08.253192+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:09.726434+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:10.122926+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:05.370389+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:06.037205+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:07.886941+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:17.533976+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973120.114.59.183192.168.2.4
                        2024-07-27T12:12:05.827728+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)46419497305.42.92.213192.168.2.4
                        2024-07-27T12:12:08.755787+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:08.971532+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:05.822240+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:12.155240+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:11.480008+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:10.128355+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:08.534683+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:11.270445+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:00.115561+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973046419192.168.2.45.42.92.213
                        2024-07-27T12:12:11.697363+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 27, 2024 12:11:53.601545095 CEST49675443192.168.2.4173.222.162.32
                        Jul 27, 2024 12:11:59.358750105 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:11:59.364186049 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:11:59.364263058 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:11:59.381304979 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:11:59.386472940 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:00.052894115 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:00.101584911 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:00.115561008 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:00.121463060 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:00.321852922 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:00.367137909 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:03.210824013 CEST49675443192.168.2.4173.222.162.32
                        Jul 27, 2024 12:12:05.370388985 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:05.392292976 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:05.600991011 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:05.601041079 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:05.601077080 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:05.601103067 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:05.601111889 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:05.601150036 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:05.601161957 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:05.648309946 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:05.822240114 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:05.827728033 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.033339024 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.037204981 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:06.047758102 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.248157024 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.259979010 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:06.265192986 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.465255976 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.508208990 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:06.512542963 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:06.518907070 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.728985071 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.733994007 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:06.746841908 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.952682018 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.963749886 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:06.970953941 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.970999002 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.971028090 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.971055984 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.971084118 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.973082066 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.973109961 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:06.973334074 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:07.280647039 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:07.335829020 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:07.886940956 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:07.894290924 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:07.894335032 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:07.894364119 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.228346109 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.253191948 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:08.260400057 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.468641043 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.524533033 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:08.534682989 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:08.539891958 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.754105091 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.755786896 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:08.761305094 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.969573021 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:08.971532106 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:08.986795902 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.187621117 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.188596964 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:09.193743944 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.394819021 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.445199966 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:09.445962906 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:09.451039076 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451078892 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451112032 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451291084 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451320887 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451375961 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451402903 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451452017 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.451479912 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.456113100 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.456221104 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.456248999 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.456276894 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.456306934 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.681288004 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:09.726433992 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:09.826085091 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:09.832324028 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.040946960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.085817099 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.122925997 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128285885 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128328085 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128355026 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128381014 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128390074 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128408909 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128437996 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128454924 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128464937 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128495932 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128523111 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128530025 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128583908 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128598928 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128627062 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.128659010 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.128688097 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.133661032 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.133690119 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.133721113 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.133771896 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.133856058 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.133884907 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.133914948 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.133919001 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.133946896 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.133958101 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.133970976 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.133985043 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.134011030 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.134037018 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.134118080 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.134186029 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.134273052 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.134318113 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.134346008 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.134367943 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.134383917 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.134423971 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.139820099 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.139883995 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140083075 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140136003 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140183926 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140243053 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140574932 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140628099 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140650034 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140682936 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140703917 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140711069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140753984 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140758991 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140788078 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140806913 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140815973 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140841007 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140842915 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140871048 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140873909 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140897036 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140899897 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.140944004 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140971899 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.140999079 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141025066 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141052008 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141077995 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141103983 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141129971 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141155958 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141181946 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141207933 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141259909 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141287088 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141314983 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141341925 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141350031 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141367912 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141395092 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141412973 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141422987 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141436100 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141449928 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141477108 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141480923 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141503096 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141503096 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141521931 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141530991 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141556978 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141562939 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141583920 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141587019 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141603947 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141611099 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141638041 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141638994 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141658068 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141664982 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141690969 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141699076 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141721964 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141725063 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141745090 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141748905 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.141763926 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.141799927 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145636082 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145664930 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145690918 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145692110 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145709991 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145719051 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145740032 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145746946 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145776033 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145777941 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145802975 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145803928 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145822048 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145832062 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145859003 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145859003 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145879984 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145885944 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145914078 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145922899 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.145941019 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145967960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.145994902 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.146022081 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.146048069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.146074057 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.146856070 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147272110 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147345066 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147372007 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147490978 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147517920 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147599936 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147902966 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147931099 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147957087 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.147988081 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148035049 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148066044 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148277998 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148310900 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148358107 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148536921 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148561954 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148565054 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148591995 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148638964 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148643017 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148663998 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148670912 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148688078 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148698092 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148739100 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148746014 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148766041 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148772955 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148802042 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148813963 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148838997 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148840904 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148864985 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148891926 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148897886 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148919106 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148946047 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148946047 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148969889 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.148972988 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.148993969 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149020910 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149025917 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149049044 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149075031 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149079084 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149102926 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149102926 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149121046 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149130106 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149156094 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149159908 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149178982 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149183035 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149210930 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149220943 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149238110 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149249077 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.149286985 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149317026 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149344921 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149372101 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149398088 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149425030 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149451971 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149482965 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149509907 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149535894 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149561882 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149588108 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149614096 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149640083 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149688005 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149713993 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149740934 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149768114 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.149794102 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151407957 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151458025 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151485920 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151842117 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151870012 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151895046 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151928902 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151954889 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.151982069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.152008057 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.152034044 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.152060986 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.152245998 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.154735088 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154766083 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154789925 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.154808998 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.154814005 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154841900 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154869080 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154891014 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.154918909 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.154918909 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154947996 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.154966116 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.154974937 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155002117 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155003071 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155019999 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155030012 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155050039 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155081034 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155087948 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155109882 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155136108 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155138016 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155162096 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155164957 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155183077 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.155191898 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155217886 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155244112 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155271053 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155298948 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155345917 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155373096 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155399084 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155425072 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155451059 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155477047 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155503035 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155529022 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155555964 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155581951 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155607939 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155637980 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155664921 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155689955 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155739069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155766010 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155791998 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155818939 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155844927 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155870914 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155898094 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155925035 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155951977 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.155978918 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156004906 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156030893 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156058073 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156105042 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156131983 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156157970 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156183958 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156209946 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156235933 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156261921 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156287909 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.156512976 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.157159090 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157186985 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157217026 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.157234907 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157238007 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.157263041 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157300949 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.157314062 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157341957 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157368898 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.157388926 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157416105 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157443047 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157491922 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157519102 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157545090 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157593012 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157619953 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157645941 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157672882 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157699108 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157749891 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157778025 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157804966 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157830954 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157857895 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157883883 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157910109 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157937050 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.157984018 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158011913 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158039093 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158065081 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158092022 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158118010 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158143997 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158169985 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158195972 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158221960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158267975 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158296108 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.158323050 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161227942 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161257029 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161304951 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161331892 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161358118 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161385059 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161411047 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161458969 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161487103 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161513090 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161540031 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161566019 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161592960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161618948 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161667109 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161694050 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161720037 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161746025 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161772013 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161798954 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161824942 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161870956 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161899090 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161925077 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161941051 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.161951065 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.161978006 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162004948 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162045956 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.162051916 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162080050 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162106991 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162132978 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162159920 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162185907 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162213087 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162239075 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162266016 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162292004 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162321091 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162369013 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162395954 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162422895 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162447929 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162473917 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162499905 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162527084 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162553072 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162579060 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162606001 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162631989 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162657976 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162683964 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162709951 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162735939 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162761927 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162789106 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.162815094 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163181067 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163208008 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163239002 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163266897 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163328886 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163357019 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163408041 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163434029 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163460970 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163486958 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163532972 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163558960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163606882 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163634062 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.163880110 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.163986921 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.168380022 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168410063 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168458939 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168502092 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168741941 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168770075 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168849945 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.168900013 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169022083 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169080973 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169209957 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169236898 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169286013 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169317007 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169388056 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169418097 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169444084 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169527054 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169554949 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169603109 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169630051 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169677019 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169703960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169729948 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169763088 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169810057 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169837952 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169864893 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169891119 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169918060 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169965029 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.169991970 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170018911 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170044899 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170070887 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170097113 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170144081 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170170069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170196056 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170222044 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170269966 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170298100 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170324087 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170350075 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170397997 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170423985 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170470953 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170497894 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170527935 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170816898 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170845032 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.170887947 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171047926 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171080112 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171309948 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.171313047 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171340942 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171370983 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171396971 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171412945 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.171447039 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171473980 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171519995 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171547890 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171941996 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171969891 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.171999931 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172025919 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172074080 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172101021 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172147036 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172174931 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172775984 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172804117 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172831059 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172857046 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.172993898 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173022032 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173069000 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173095942 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173122883 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173150063 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173311949 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173358917 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173386097 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173417091 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173444033 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173585892 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173614025 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173640013 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173763990 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173791885 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173818111 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173845053 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173871040 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173897028 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173943996 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.173990965 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174019098 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174308062 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174369097 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174396038 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174426079 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174452066 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174479008 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174504995 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174530983 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.174577951 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176496029 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176527023 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176554918 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176585913 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176635027 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176666975 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176723957 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.176731110 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.176842928 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.177565098 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177592993 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177675009 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177701950 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177728891 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177756071 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177804947 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177833080 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177859068 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177885056 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177916050 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177942991 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177968979 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.177994967 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178045034 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178072929 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178098917 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178124905 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178163052 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178190947 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178237915 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178265095 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178292036 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178320885 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178347111 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178373098 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178399086 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178426027 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178452015 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178478003 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178504944 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178530931 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178556919 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178582907 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178611040 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178637028 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178663969 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178711891 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178739071 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178771019 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178797960 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178824902 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178852081 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178878069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178905010 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.178930998 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.181984901 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182013988 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182040930 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182068110 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182094097 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182121038 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182147026 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182173967 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182202101 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182229042 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182241917 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:10.182284117 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182312965 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182339907 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182368040 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182395935 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182423115 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182449102 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182476997 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182503939 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182531118 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182579994 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182607889 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182635069 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182661057 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182687998 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182713985 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182739973 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182766914 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182792902 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182818890 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182845116 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.182872057 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:10.223756075 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.048351049 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.052524090 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:11.057439089 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.266215086 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.270445108 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:11.275599003 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.477648973 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.480007887 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:11.484930992 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.696901083 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.697362900 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:11.703248024 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.912623882 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:11.913475037 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:11.918452024 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:12.120214939 CEST46419497305.42.92.213192.168.2.4
                        Jul 27, 2024 12:12:12.155240059 CEST4973046419192.168.2.45.42.92.213
                        Jul 27, 2024 12:12:19.246202946 CEST4972380192.168.2.42.19.126.163
                        Jul 27, 2024 12:12:19.251566887 CEST80497232.19.126.163192.168.2.4
                        Jul 27, 2024 12:12:19.251626968 CEST4972380192.168.2.42.19.126.163
                        Jul 27, 2024 12:13:07.382949114 CEST4972480192.168.2.42.19.126.163
                        Jul 27, 2024 12:13:07.388839960 CEST80497242.19.126.163192.168.2.4
                        Jul 27, 2024 12:13:07.392471075 CEST4972480192.168.2.42.19.126.163

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 27, 2024 12:12:16.770226955 CEST1.1.1.1192.168.2.40x7f6dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                        Jul 27, 2024 12:12:16.770226955 CEST1.1.1.1192.168.2.40x7f6dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                        Jul 27, 2024 12:12:18.180906057 CEST1.1.1.1192.168.2.40x2e1No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                        Jul 27, 2024 12:12:18.180906057 CEST1.1.1.1192.168.2.40x2e1No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                        Jul 27, 2024 12:12:30.412411928 CEST1.1.1.1192.168.2.40xc400No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                        Jul 27, 2024 12:12:30.412411928 CEST1.1.1.1192.168.2.40xc400No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:06:11:56
                        Start date:27/07/2024
                        Path:C:\Users\user\Desktop\nuCc19sDOl.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\nuCc19sDOl.exe"
                        Imagebase:0xd70000
                        File size:625'152 bytes
                        MD5 hash:01E059B3901BD579FB8EA4EBC34009F9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:06:11:56
                        Start date:27/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:06:11:57
                        Start date:27/07/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Imagebase:0x4e0000
                        File size:262'432 bytes
                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1818185346.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1819320060.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1819320060.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:18.4%
                          Dynamic/Decrypted Code Coverage:1.8%
                          Signature Coverage:11.2%
                          Total number of Nodes:599
                          Total number of Limit Nodes:6
                          execution_graph 13481 af04748 13483 af04775 13481->13483 13482 af04afe 13483->13482 13487 af05178 13483->13487 13491 af053b8 13483->13491 13495 af05508 13483->13495 13488 af051be LoadLibraryW 13487->13488 13490 af051f7 13488->13490 13490->13483 13492 af053f6 13491->13492 13498 6cf57a60 13492->13498 13496 af05549 FindCloseChangeNotification 13495->13496 13497 af05576 13496->13497 13497->13483 13521 6cf57abf _unexpected 13498->13521 13499 6cf57b44 13500 6cf57eca 13499->13500 13499->13521 13501 6cf5802a 13500->13501 13500->13521 13503 6cf5832c 13501->13503 13501->13521 13507 6cf584d3 13503->13507 13503->13521 13504 6cf64300 13557 6cf65780 13504->13557 13506 af05419 13506->13483 13507->13504 13508 6cf5ef7d GetConsoleWindow 13507->13508 13509 6cf641c0 WriteProcessMemory 13507->13509 13510 6cf62e47 Wow64GetThreadContext 13507->13510 13511 6cf63099 VirtualAllocEx 13507->13511 13512 6cf65076 ReadProcessMemory 13507->13512 13513 6cf6424e Wow64SetThreadContext ResumeThread 13507->13513 13514 6cf63f02 ReadProcessMemory 13507->13514 13515 6cf6429b CloseHandle CloseHandle 13507->13515 13517 6cf6340e WriteProcessMemory 13507->13517 13518 6cf63fd2 WriteProcessMemory 13507->13518 13519 6cf5ef98 ShowWindow 13507->13519 13507->13521 13523 6cf630e9 WriteProcessMemory 13507->13523 13524 6cf62f5a VirtualAllocEx 13507->13524 13525 6cf5a63c 13507->13525 13508->13521 13509->13521 13510->13521 13511->13521 13512->13521 13513->13521 13514->13521 13515->13521 13516 6cf51040 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13516->13521 13517->13521 13518->13521 13533 6cf51230 13519->13533 13521->13499 13521->13516 13522 6cf51230 20 API calls 13521->13522 13550 6cf575a0 GetModuleHandleW 13521->13550 13522->13521 13523->13521 13524->13521 13525->13521 13526 6cf62d18 VirtualAlloc 13525->13526 13527 6cf5a9c2 13525->13527 13526->13521 13527->13521 13528 6cf64e60 GetThreadContext 13527->13528 13529 6cf5ab22 13527->13529 13528->13521 13529->13521 13530 6cf62b37 CreateProcessW 13529->13530 13531 6cf5ae24 13529->13531 13530->13521 13531->13521 13532 6cf64e1d VirtualAlloc 13531->13532 13532->13521 13538 6cf51259 __InternalCxxFrameHandler _unexpected 13533->13538 13534 6cf56f98 13535 6cf65780 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 13534->13535 13536 6cf56fa2 13535->13536 13536->13521 13537 6cf56a00 MapViewOfFile 13537->13538 13538->13534 13538->13537 13539 6cf56e95 VirtualProtect 13538->13539 13540 6cf564e9 GetCurrentProcess 13538->13540 13541 6cf566fd K32GetModuleInformation GetModuleFileNameA CreateFileA 13538->13541 13542 6cf569e2 CloseHandle 13538->13542 13543 6cf56d85 VirtualProtect 13538->13543 13544 6cf56f46 FindCloseChangeNotification 13538->13544 13545 6cf5659d GetModuleHandleA 13538->13545 13546 6cf568a8 CreateFileMappingA 13538->13546 13547 6cf56f66 CloseHandle CloseHandle 13538->13547 13548 6cf5752f VirtualProtect 13538->13548 13549 6cf5744f GetModuleHandleA 13538->13549 13539->13538 13540->13538 13541->13538 13542->13538 13543->13538 13544->13538 13545->13538 13546->13538 13547->13538 13548->13538 13549->13538 13555 6cf575d1 _unexpected 13550->13555 13551 6cf57944 13552 6cf65780 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 13551->13552 13553 6cf57954 13552->13553 13553->13521 13554 6cf576f6 GetProcAddress 13554->13555 13555->13551 13555->13554 13556 6cf5772f NtQueryInformationProcess 13555->13556 13556->13555 13558 6cf65788 13557->13558 13559 6cf65789 IsProcessorFeaturePresent 13557->13559 13558->13506 13561 6cf65b2e 13559->13561 13564 6cf65af1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13561->13564 13563 6cf65c11 13563->13506 13564->13563 13565 6cf65ace 13566 6cf65ad7 13565->13566 13567 6cf65adc 13565->13567 13582 6cf65c60 13566->13582 13571 6cf65998 13567->13571 13572 6cf659a4 ___scrt_is_nonwritable_in_current_image 13571->13572 13573 6cf659cd dllmain_raw 13572->13573 13578 6cf659c8 __DllMainCRTStartup@12 13572->13578 13579 6cf659b3 13572->13579 13574 6cf659e7 dllmain_crt_dispatch 13573->13574 13573->13579 13574->13578 13574->13579 13575 6cf65a39 13576 6cf65a42 dllmain_crt_dispatch 13575->13576 13575->13579 13577 6cf65a55 dllmain_raw 13576->13577 13576->13579 13577->13579 13578->13575 13586 6cf658e8 13578->13586 13581 6cf65a2e dllmain_raw 13581->13575 13583 6cf65c76 13582->13583 13584 6cf65c7f 13583->13584 13902 6cf65c13 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 13583->13902 13584->13567 13588 6cf658f4 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 13586->13588 13587 6cf658fd 13587->13581 13588->13587 13589 6cf65925 13588->13589 13590 6cf65990 13588->13590 13609 6cf65dfb 13589->13609 13630 6cf65fca IsProcessorFeaturePresent 13590->13630 13593 6cf6592a 13618 6cf65cb7 13593->13618 13595 6cf65997 ___scrt_is_nonwritable_in_current_image 13596 6cf659cd dllmain_raw 13595->13596 13605 6cf659c8 __DllMainCRTStartup@12 13595->13605 13606 6cf659b3 13595->13606 13598 6cf659e7 dllmain_crt_dispatch 13596->13598 13596->13606 13597 6cf6592f __RTC_Initialize __DllMainCRTStartup@12 13621 6cf65f9c 13597->13621 13598->13605 13598->13606 13602 6cf65a39 13603 6cf65a42 dllmain_crt_dispatch 13602->13603 13602->13606 13604 6cf65a55 dllmain_raw 13603->13604 13603->13606 13604->13606 13605->13602 13607 6cf658e8 __DllMainCRTStartup@12 81 API calls 13605->13607 13606->13581 13608 6cf65a2e dllmain_raw 13607->13608 13608->13602 13610 6cf65e00 ___scrt_release_startup_lock 13609->13610 13611 6cf65e04 13610->13611 13614 6cf65e10 __DllMainCRTStartup@12 13610->13614 13634 6cf692a2 13611->13634 13613 6cf65e0e 13613->13593 13615 6cf65e1d 13614->13615 13638 6cf68a8b 13614->13638 13615->13593 13775 6cf66c3a InterlockedFlushSList 13618->13775 13622 6cf65fa8 13621->13622 13626 6cf6594e 13622->13626 13782 6cf6944b 13622->13782 13624 6cf65fb6 13787 6cf66c8f 13624->13787 13627 6cf6598a 13626->13627 13885 6cf65e1e 13627->13885 13631 6cf65fe0 _unexpected 13630->13631 13632 6cf6608b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13631->13632 13633 6cf660cf _unexpected 13632->13633 13633->13595 13635 6cf692ae __EH_prolog3 13634->13635 13649 6cf6916d 13635->13649 13637 6cf692d5 __DllMainCRTStartup@12 13637->13613 13639 6cf68ab8 13638->13639 13647 6cf68ac9 13638->13647 13720 6cf68b53 GetModuleHandleW 13639->13720 13644 6cf68b07 13644->13593 13727 6cf6893b 13647->13727 13650 6cf69179 ___scrt_is_nonwritable_in_current_image 13649->13650 13657 6cf69e93 EnterCriticalSection 13650->13657 13652 6cf69187 13658 6cf691c8 13652->13658 13657->13652 13659 6cf69194 13658->13659 13660 6cf691e7 13658->13660 13662 6cf691bc 13659->13662 13660->13659 13665 6cf6a2b4 13660->13665 13719 6cf69edb LeaveCriticalSection 13662->13719 13664 6cf691a5 13664->13637 13666 6cf6a2bf HeapFree 13665->13666 13670 6cf6a2e9 13665->13670 13667 6cf6a2d4 GetLastError 13666->13667 13666->13670 13668 6cf6a2e1 __dosmaperr 13667->13668 13671 6cf6a244 13668->13671 13670->13659 13674 6cf69cb8 GetLastError 13671->13674 13673 6cf6a249 13673->13670 13675 6cf69cce 13674->13675 13676 6cf69cd4 13674->13676 13697 6cf6bb97 13675->13697 13680 6cf69cd8 SetLastError 13676->13680 13702 6cf6bbd6 13676->13702 13680->13673 13684 6cf69d1e 13687 6cf6bbd6 __dosmaperr 6 API calls 13684->13687 13685 6cf69d0d 13686 6cf6bbd6 __dosmaperr 6 API calls 13685->13686 13688 6cf69d1b 13686->13688 13689 6cf69d2a 13687->13689 13693 6cf6a2b4 __freea 12 API calls 13688->13693 13690 6cf69d45 13689->13690 13691 6cf69d2e 13689->13691 13714 6cf69969 13690->13714 13692 6cf6bbd6 __dosmaperr 6 API calls 13691->13692 13692->13688 13693->13680 13696 6cf6a2b4 __freea 12 API calls 13696->13680 13698 6cf6ba35 __dosmaperr 5 API calls 13697->13698 13699 6cf6bbb3 13698->13699 13700 6cf6bbce TlsGetValue 13699->13700 13701 6cf6bbbc 13699->13701 13701->13676 13703 6cf6ba35 __dosmaperr 5 API calls 13702->13703 13704 6cf6bbf2 13703->13704 13705 6cf6bc10 TlsSetValue 13704->13705 13706 6cf69cf0 13704->13706 13706->13680 13707 6cf6a257 13706->13707 13712 6cf6a264 __dosmaperr 13707->13712 13708 6cf6a2a4 13711 6cf6a244 __dosmaperr 13 API calls 13708->13711 13709 6cf6a28f HeapAlloc 13710 6cf69d05 13709->13710 13709->13712 13710->13684 13710->13685 13711->13710 13712->13708 13712->13709 13713 6cf6bff0 __dosmaperr EnterCriticalSection LeaveCriticalSection 13712->13713 13713->13712 13715 6cf697fd __dosmaperr EnterCriticalSection LeaveCriticalSection 13714->13715 13716 6cf699d7 13715->13716 13717 6cf6990f __dosmaperr 14 API calls 13716->13717 13718 6cf69a00 13717->13718 13718->13696 13719->13664 13721 6cf68abd 13720->13721 13721->13647 13722 6cf68bae GetModuleHandleExW 13721->13722 13723 6cf68c01 13722->13723 13724 6cf68bed GetProcAddress 13722->13724 13725 6cf68c14 FreeLibrary 13723->13725 13726 6cf68c1d 13723->13726 13724->13723 13725->13726 13726->13647 13728 6cf68947 ___scrt_is_nonwritable_in_current_image 13727->13728 13742 6cf69e93 EnterCriticalSection 13728->13742 13730 6cf68951 13743 6cf689a3 13730->13743 13732 6cf6895e 13747 6cf6897c 13732->13747 13735 6cf68b22 13751 6cf68b95 13735->13751 13737 6cf68b2c 13738 6cf68b40 13737->13738 13739 6cf68b30 GetCurrentProcess TerminateProcess 13737->13739 13740 6cf68bae _unexpected 3 API calls 13738->13740 13739->13738 13741 6cf68b48 ExitProcess 13740->13741 13742->13730 13746 6cf689af ___scrt_is_nonwritable_in_current_image _unexpected 13743->13746 13744 6cf692a2 __DllMainCRTStartup@12 14 API calls 13745 6cf68a13 _unexpected 13744->13745 13745->13732 13746->13744 13746->13745 13750 6cf69edb LeaveCriticalSection 13747->13750 13749 6cf6896a 13749->13644 13749->13735 13750->13749 13754 6cf69f17 13751->13754 13753 6cf68b9a _unexpected 13753->13737 13755 6cf69f26 _unexpected 13754->13755 13756 6cf69f33 13755->13756 13758 6cf6baba 13755->13758 13756->13753 13761 6cf6ba35 13758->13761 13760 6cf6bad6 13760->13756 13762 6cf6ba65 13761->13762 13766 6cf6ba61 __dosmaperr 13761->13766 13762->13766 13767 6cf6b96a 13762->13767 13765 6cf6ba7f GetProcAddress 13765->13766 13766->13760 13773 6cf6b97b ___vcrt_FlsFree 13767->13773 13768 6cf6ba11 13768->13765 13768->13766 13769 6cf6b999 LoadLibraryExW 13770 6cf6b9b4 GetLastError 13769->13770 13771 6cf6ba18 13769->13771 13770->13773 13771->13768 13772 6cf6ba2a FreeLibrary 13771->13772 13772->13768 13773->13768 13773->13769 13774 6cf6b9e7 LoadLibraryExW 13773->13774 13774->13771 13774->13773 13776 6cf66c4a 13775->13776 13777 6cf65cc1 13775->13777 13776->13777 13779 6cf694c9 13776->13779 13777->13597 13780 6cf6a2b4 __freea 14 API calls 13779->13780 13781 6cf694e1 13780->13781 13781->13776 13784 6cf69456 13782->13784 13785 6cf69468 ___scrt_uninitialize_crt 13782->13785 13783 6cf69464 13783->13624 13784->13783 13793 6cf6c685 13784->13793 13785->13624 13788 6cf66ca2 13787->13788 13789 6cf66c98 13787->13789 13788->13626 13860 6cf67111 13789->13860 13796 6cf6c516 13793->13796 13799 6cf6c46a 13796->13799 13800 6cf6c476 ___scrt_is_nonwritable_in_current_image 13799->13800 13807 6cf69e93 EnterCriticalSection 13800->13807 13802 6cf6c480 ___scrt_uninitialize_crt 13803 6cf6c4ec 13802->13803 13808 6cf6c3de 13802->13808 13816 6cf6c50a 13803->13816 13807->13802 13809 6cf6c3ea ___scrt_is_nonwritable_in_current_image 13808->13809 13819 6cf6c7a2 EnterCriticalSection 13809->13819 13811 6cf6c42d 13831 6cf6c45e 13811->13831 13812 6cf6c3f4 ___scrt_uninitialize_crt 13812->13811 13820 6cf6c620 13812->13820 13859 6cf69edb LeaveCriticalSection 13816->13859 13818 6cf6c4f8 13818->13783 13819->13812 13821 6cf6c635 ___std_exception_copy 13820->13821 13822 6cf6c647 13821->13822 13823 6cf6c63c 13821->13823 13834 6cf6c5b7 13822->13834 13824 6cf6c516 ___scrt_uninitialize_crt 68 API calls 13823->13824 13828 6cf6c642 ___std_exception_copy 13824->13828 13828->13811 13829 6cf6c668 13847 6cf6dcb5 13829->13847 13858 6cf6c7b6 LeaveCriticalSection 13831->13858 13833 6cf6c44c 13833->13802 13835 6cf6c5f7 13834->13835 13836 6cf6c5d0 13834->13836 13835->13828 13840 6cf6ca07 13835->13840 13836->13835 13837 6cf6ca07 ___scrt_uninitialize_crt 29 API calls 13836->13837 13838 6cf6c5ec 13837->13838 13839 6cf6e4d4 ___scrt_uninitialize_crt 64 API calls 13838->13839 13839->13835 13841 6cf6ca13 13840->13841 13842 6cf6ca28 13840->13842 13843 6cf6a244 __dosmaperr 14 API calls 13841->13843 13842->13829 13844 6cf6ca18 13843->13844 13845 6cf6a163 ___std_exception_copy 29 API calls 13844->13845 13846 6cf6ca23 13845->13846 13846->13829 13848 6cf6dcc6 13847->13848 13849 6cf6dcd3 13847->13849 13850 6cf6a244 __dosmaperr 14 API calls 13848->13850 13851 6cf6dd1c 13849->13851 13854 6cf6dcfa 13849->13854 13857 6cf6dccb 13850->13857 13852 6cf6a244 __dosmaperr 14 API calls 13851->13852 13853 6cf6dd21 13852->13853 13855 6cf6a163 ___std_exception_copy 29 API calls 13853->13855 13856 6cf6dc13 ___scrt_uninitialize_crt 33 API calls 13854->13856 13855->13857 13856->13857 13857->13828 13858->13833 13859->13818 13861 6cf6711b 13860->13861 13862 6cf66c9d 13860->13862 13868 6cf676a8 13861->13868 13864 6cf67168 13862->13864 13865 6cf67192 13864->13865 13866 6cf67173 13864->13866 13865->13788 13867 6cf6717d DeleteCriticalSection 13866->13867 13867->13865 13867->13867 13873 6cf67582 13868->13873 13871 6cf676da TlsFree 13872 6cf676ce 13871->13872 13872->13862 13874 6cf6759f 13873->13874 13877 6cf675a3 13873->13877 13874->13871 13874->13872 13875 6cf6760b GetProcAddress 13875->13874 13877->13874 13877->13875 13878 6cf675fc 13877->13878 13880 6cf67622 LoadLibraryExW 13877->13880 13878->13875 13879 6cf67604 FreeLibrary 13878->13879 13879->13875 13881 6cf67669 13880->13881 13882 6cf67639 GetLastError 13880->13882 13881->13877 13882->13881 13883 6cf67644 ___vcrt_FlsFree 13882->13883 13883->13881 13884 6cf6765a LoadLibraryExW 13883->13884 13884->13877 13890 6cf6947b 13885->13890 13888 6cf67111 ___vcrt_uninitialize_ptd 6 API calls 13889 6cf6598f 13888->13889 13889->13587 13893 6cf69e38 13890->13893 13894 6cf69e42 13893->13894 13895 6cf65e25 13893->13895 13897 6cf6bb58 13894->13897 13895->13888 13898 6cf6ba35 __dosmaperr 5 API calls 13897->13898 13899 6cf6bb74 13898->13899 13900 6cf6bb8f TlsFree 13899->13900 13901 6cf6bb7d 13899->13901 13901->13895 13902->13584 13903 6cf6578e 13904 6cf657cc 13903->13904 13905 6cf65799 13903->13905 13906 6cf658e8 __DllMainCRTStartup@12 86 API calls 13904->13906 13907 6cf657be 13905->13907 13908 6cf6579e 13905->13908 13914 6cf657a8 13906->13914 13915 6cf657e1 13907->13915 13910 6cf657b4 13908->13910 13911 6cf657a3 13908->13911 13934 6cf65d9b 13910->13934 13911->13914 13929 6cf65dba 13911->13929 13916 6cf657ed ___scrt_is_nonwritable_in_current_image 13915->13916 13942 6cf65e2b 13916->13942 13918 6cf657f4 __DllMainCRTStartup@12 13919 6cf658e0 13918->13919 13920 6cf6581b 13918->13920 13927 6cf65857 ___scrt_is_nonwritable_in_current_image _unexpected 13918->13927 13922 6cf65fca __DllMainCRTStartup@12 4 API calls 13919->13922 13953 6cf65d8d 13920->13953 13923 6cf658e7 13922->13923 13924 6cf6582a __RTC_Initialize 13924->13927 13956 6cf65cab InitializeSListHead 13924->13956 13926 6cf65838 13926->13927 13957 6cf65d62 13926->13957 13927->13914 14018 6cf69443 13929->14018 14221 6cf66c7c 13934->14221 13938 6cf65db7 13938->13914 13940 6cf66c87 21 API calls 13941 6cf65da4 13940->13941 13941->13914 13943 6cf65e34 13942->13943 13961 6cf66188 IsProcessorFeaturePresent 13943->13961 13947 6cf65e45 13952 6cf65e49 13947->13952 13971 6cf69426 13947->13971 13950 6cf65e60 13950->13918 13951 6cf66c8f ___scrt_uninitialize_crt 7 API calls 13951->13952 13952->13918 14012 6cf65e64 13953->14012 13955 6cf65d94 13955->13924 13956->13926 13958 6cf65d67 ___scrt_release_startup_lock 13957->13958 13959 6cf66188 IsProcessorFeaturePresent 13958->13959 13960 6cf65d70 13958->13960 13959->13960 13960->13927 13962 6cf65e40 13961->13962 13963 6cf66c5d 13962->13963 13974 6cf6712c 13963->13974 13966 6cf66c66 13966->13947 13968 6cf66c6e 13969 6cf66c79 13968->13969 13970 6cf67168 ___vcrt_uninitialize_locks DeleteCriticalSection 13968->13970 13969->13947 13970->13966 14003 6cf6bf48 13971->14003 13975 6cf67135 13974->13975 13977 6cf6715e 13975->13977 13978 6cf66c62 13975->13978 13988 6cf6775c 13975->13988 13979 6cf67168 ___vcrt_uninitialize_locks DeleteCriticalSection 13977->13979 13978->13966 13980 6cf670de 13978->13980 13979->13978 13993 6cf6766d 13980->13993 13983 6cf670f3 13983->13968 13986 6cf6710e 13986->13968 13987 6cf67111 ___vcrt_uninitialize_ptd 6 API calls 13987->13983 13989 6cf67582 ___vcrt_FlsFree 5 API calls 13988->13989 13990 6cf67776 13989->13990 13991 6cf67794 InitializeCriticalSectionAndSpinCount 13990->13991 13992 6cf6777f 13990->13992 13991->13992 13992->13975 13994 6cf67582 ___vcrt_FlsFree 5 API calls 13993->13994 13995 6cf67687 13994->13995 13996 6cf676a0 TlsAlloc 13995->13996 13997 6cf670e8 13995->13997 13997->13983 13998 6cf6771e 13997->13998 13999 6cf67582 ___vcrt_FlsFree 5 API calls 13998->13999 14000 6cf67738 13999->14000 14001 6cf67753 TlsSetValue 14000->14001 14002 6cf67101 14000->14002 14001->14002 14002->13986 14002->13987 14004 6cf6bf58 14003->14004 14005 6cf65e52 14003->14005 14004->14005 14007 6cf6be0c 14004->14007 14005->13950 14005->13951 14008 6cf6be13 14007->14008 14009 6cf6be56 GetStdHandle 14008->14009 14010 6cf6beb8 14008->14010 14011 6cf6be69 GetFileType 14008->14011 14009->14008 14010->14004 14011->14008 14013 6cf65e74 14012->14013 14014 6cf65e70 14012->14014 14015 6cf65fca __DllMainCRTStartup@12 4 API calls 14013->14015 14017 6cf65e81 ___scrt_release_startup_lock 14013->14017 14014->13955 14016 6cf65eea 14015->14016 14017->13955 14024 6cf69b3b 14018->14024 14021 6cf66c87 14204 6cf67013 14021->14204 14025 6cf65dbf 14024->14025 14026 6cf69b45 14024->14026 14025->14021 14027 6cf6bb97 __dosmaperr 6 API calls 14026->14027 14028 6cf69b4c 14027->14028 14028->14025 14029 6cf6bbd6 __dosmaperr 6 API calls 14028->14029 14030 6cf69b5f 14029->14030 14032 6cf69a02 14030->14032 14033 6cf69a0d 14032->14033 14037 6cf69a1d 14032->14037 14038 6cf69a23 14033->14038 14036 6cf6a2b4 __freea 14 API calls 14036->14037 14037->14025 14039 6cf69a3e 14038->14039 14040 6cf69a38 14038->14040 14042 6cf6a2b4 __freea 14 API calls 14039->14042 14041 6cf6a2b4 __freea 14 API calls 14040->14041 14041->14039 14043 6cf69a4a 14042->14043 14044 6cf6a2b4 __freea 14 API calls 14043->14044 14045 6cf69a55 14044->14045 14046 6cf6a2b4 __freea 14 API calls 14045->14046 14047 6cf69a60 14046->14047 14048 6cf6a2b4 __freea 14 API calls 14047->14048 14049 6cf69a6b 14048->14049 14050 6cf6a2b4 __freea 14 API calls 14049->14050 14051 6cf69a76 14050->14051 14052 6cf6a2b4 __freea 14 API calls 14051->14052 14053 6cf69a81 14052->14053 14054 6cf6a2b4 __freea 14 API calls 14053->14054 14055 6cf69a8c 14054->14055 14056 6cf6a2b4 __freea 14 API calls 14055->14056 14057 6cf69a97 14056->14057 14058 6cf6a2b4 __freea 14 API calls 14057->14058 14059 6cf69aa5 14058->14059 14064 6cf6984f 14059->14064 14065 6cf6985b ___scrt_is_nonwritable_in_current_image 14064->14065 14080 6cf69e93 EnterCriticalSection 14065->14080 14067 6cf6988f 14081 6cf698ae 14067->14081 14070 6cf69865 14070->14067 14071 6cf6a2b4 __freea 14 API calls 14070->14071 14071->14067 14072 6cf698ba 14073 6cf698c6 ___scrt_is_nonwritable_in_current_image 14072->14073 14085 6cf69e93 EnterCriticalSection 14073->14085 14075 6cf698d0 14086 6cf69af0 14075->14086 14077 6cf698e3 14090 6cf69903 14077->14090 14080->14070 14084 6cf69edb LeaveCriticalSection 14081->14084 14083 6cf6989c 14083->14072 14084->14083 14085->14075 14087 6cf69aff __dosmaperr 14086->14087 14089 6cf69b26 __dosmaperr 14086->14089 14087->14089 14093 6cf6cb4b 14087->14093 14089->14077 14203 6cf69edb LeaveCriticalSection 14090->14203 14092 6cf698f1 14092->14036 14095 6cf6cbcb 14093->14095 14096 6cf6cb61 14093->14096 14097 6cf6a2b4 __freea 14 API calls 14095->14097 14120 6cf6cc19 14095->14120 14096->14095 14101 6cf6a2b4 __freea 14 API calls 14096->14101 14103 6cf6cb94 14096->14103 14098 6cf6cbed 14097->14098 14099 6cf6a2b4 __freea 14 API calls 14098->14099 14104 6cf6cc00 14099->14104 14100 6cf6a2b4 __freea 14 API calls 14105 6cf6cbc0 14100->14105 14107 6cf6cb89 14101->14107 14102 6cf6cc27 14106 6cf6cc87 14102->14106 14117 6cf6a2b4 14 API calls __freea 14102->14117 14108 6cf6a2b4 __freea 14 API calls 14103->14108 14119 6cf6cbb6 14103->14119 14109 6cf6a2b4 __freea 14 API calls 14104->14109 14112 6cf6a2b4 __freea 14 API calls 14105->14112 14113 6cf6a2b4 __freea 14 API calls 14106->14113 14121 6cf6eac6 14107->14121 14110 6cf6cbab 14108->14110 14111 6cf6cc0e 14109->14111 14149 6cf6ebc4 14110->14149 14116 6cf6a2b4 __freea 14 API calls 14111->14116 14112->14095 14118 6cf6cc8d 14113->14118 14116->14120 14117->14102 14118->14089 14119->14100 14161 6cf6ccbc 14120->14161 14122 6cf6ead7 14121->14122 14148 6cf6ebc0 14121->14148 14123 6cf6eae8 14122->14123 14124 6cf6a2b4 __freea 14 API calls 14122->14124 14125 6cf6a2b4 __freea 14 API calls 14123->14125 14126 6cf6eafa 14123->14126 14124->14123 14125->14126 14127 6cf6eb0c 14126->14127 14128 6cf6a2b4 __freea 14 API calls 14126->14128 14129 6cf6eb1e 14127->14129 14130 6cf6a2b4 __freea 14 API calls 14127->14130 14128->14127 14131 6cf6eb30 14129->14131 14133 6cf6a2b4 __freea 14 API calls 14129->14133 14130->14129 14132 6cf6eb42 14131->14132 14134 6cf6a2b4 __freea 14 API calls 14131->14134 14135 6cf6eb54 14132->14135 14136 6cf6a2b4 __freea 14 API calls 14132->14136 14133->14131 14134->14132 14137 6cf6eb66 14135->14137 14138 6cf6a2b4 __freea 14 API calls 14135->14138 14136->14135 14139 6cf6eb78 14137->14139 14141 6cf6a2b4 __freea 14 API calls 14137->14141 14138->14137 14140 6cf6eb8a 14139->14140 14142 6cf6a2b4 __freea 14 API calls 14139->14142 14143 6cf6eb9c 14140->14143 14144 6cf6a2b4 __freea 14 API calls 14140->14144 14141->14139 14142->14140 14145 6cf6ebae 14143->14145 14146 6cf6a2b4 __freea 14 API calls 14143->14146 14144->14143 14147 6cf6a2b4 __freea 14 API calls 14145->14147 14145->14148 14146->14145 14147->14148 14148->14103 14150 6cf6ebd1 14149->14150 14160 6cf6ec29 14149->14160 14151 6cf6ebe1 14150->14151 14152 6cf6a2b4 __freea 14 API calls 14150->14152 14153 6cf6a2b4 __freea 14 API calls 14151->14153 14155 6cf6ebf3 14151->14155 14152->14151 14153->14155 14154 6cf6ec05 14157 6cf6ec17 14154->14157 14158 6cf6a2b4 __freea 14 API calls 14154->14158 14155->14154 14156 6cf6a2b4 __freea 14 API calls 14155->14156 14156->14154 14159 6cf6a2b4 __freea 14 API calls 14157->14159 14157->14160 14158->14157 14159->14160 14160->14119 14162 6cf6cce8 14161->14162 14163 6cf6ccc9 14161->14163 14162->14102 14163->14162 14167 6cf6ec52 14163->14167 14166 6cf6a2b4 __freea 14 API calls 14166->14162 14168 6cf6cce2 14167->14168 14169 6cf6ec63 14167->14169 14168->14166 14170 6cf6ec2d __dosmaperr 14 API calls 14169->14170 14171 6cf6ec6b 14170->14171 14172 6cf6ec2d __dosmaperr 14 API calls 14171->14172 14173 6cf6ec76 14172->14173 14174 6cf6ec2d __dosmaperr 14 API calls 14173->14174 14175 6cf6ec81 14174->14175 14176 6cf6ec2d __dosmaperr 14 API calls 14175->14176 14177 6cf6ec8c 14176->14177 14178 6cf6ec2d __dosmaperr 14 API calls 14177->14178 14179 6cf6ec9a 14178->14179 14180 6cf6a2b4 __freea 14 API calls 14179->14180 14181 6cf6eca5 14180->14181 14182 6cf6a2b4 __freea 14 API calls 14181->14182 14183 6cf6ecb0 14182->14183 14184 6cf6a2b4 __freea 14 API calls 14183->14184 14185 6cf6ecbb 14184->14185 14186 6cf6ec2d __dosmaperr 14 API calls 14185->14186 14187 6cf6ecc9 14186->14187 14188 6cf6ec2d __dosmaperr 14 API calls 14187->14188 14189 6cf6ecd7 14188->14189 14190 6cf6ec2d __dosmaperr 14 API calls 14189->14190 14191 6cf6ece8 14190->14191 14192 6cf6ec2d __dosmaperr 14 API calls 14191->14192 14193 6cf6ecf6 14192->14193 14194 6cf6ec2d __dosmaperr 14 API calls 14193->14194 14195 6cf6ed04 14194->14195 14196 6cf6a2b4 __freea 14 API calls 14195->14196 14197 6cf6ed0f 14196->14197 14198 6cf6a2b4 __freea 14 API calls 14197->14198 14199 6cf6ed1a 14198->14199 14200 6cf6a2b4 __freea 14 API calls 14199->14200 14201 6cf6ed25 14200->14201 14202 6cf6a2b4 __freea 14 API calls 14201->14202 14202->14168 14203->14092 14205 6cf65dc4 14204->14205 14206 6cf6701d 14204->14206 14205->13914 14212 6cf676e3 14206->14212 14209 6cf6771e ___vcrt_FlsSetValue 6 API calls 14210 6cf67033 14209->14210 14217 6cf66ff7 14210->14217 14213 6cf67582 ___vcrt_FlsFree 5 API calls 14212->14213 14214 6cf676fd 14213->14214 14215 6cf67715 TlsGetValue 14214->14215 14216 6cf67024 14214->14216 14215->14216 14216->14209 14218 6cf67001 14217->14218 14219 6cf6700e 14217->14219 14218->14219 14220 6cf694c9 ___std_type_info_destroy_list 14 API calls 14218->14220 14219->14205 14220->14219 14227 6cf6704c 14221->14227 14223 6cf65da0 14223->13941 14224 6cf69438 14223->14224 14225 6cf69cb8 __dosmaperr 14 API calls 14224->14225 14226 6cf65dac 14225->14226 14226->13938 14226->13940 14228 6cf67055 14227->14228 14229 6cf67058 GetLastError 14227->14229 14228->14223 14230 6cf676e3 ___vcrt_FlsGetValue 6 API calls 14229->14230 14231 6cf6706d 14230->14231 14232 6cf6708c 14231->14232 14233 6cf670d2 SetLastError 14231->14233 14234 6cf6771e ___vcrt_FlsSetValue 6 API calls 14231->14234 14232->14233 14233->14223 14235 6cf67086 _unexpected 14234->14235 14235->14232 14236 6cf670ae 14235->14236 14237 6cf6771e ___vcrt_FlsSetValue 6 API calls 14235->14237 14238 6cf6771e ___vcrt_FlsSetValue 6 API calls 14236->14238 14239 6cf670c2 14236->14239 14237->14236 14238->14239 14240 6cf694c9 ___std_type_info_destroy_list 14 API calls 14239->14240 14240->14232

                          Executed Functions

                          Function 6CF57A60 Relevance: 96.7, APIs: 19, Strings: 29, Instructions: 12701memorythreadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Memory$AllocThreadVirtualWrite$Context$CloseHandleReadWindowWow64$ConsoleCreateResumeShow
                          • String ID: NWf$#lH$#lH$$oJ\$$oJ\$)H?"$)H?"$-0f$-0f$2X!1$<jv$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$JGG\$NA`f$SQSyq6V1kow76dHTyR1lMG4GrkJ2aFuoQFXRphPFl6VqDTISjkDMrLlqQkzYKgagLaQJZMAcORL0eLAL1zFoPthLqkMPG8hFupfZkjdDmj6L2L0U25ZSUxzgNpdnWegMndS1DkZHXJjB3U4LvtyzCONYH36/WjsG90V6wjPl9ZJw014gq4Vhe5jfUttvPRKJ5+0vIfDmL6hRrOJrqevircXUDzwLfRQy3OGbBJFQoJIpvZDUyreKESuNiHtoLlvGeR8Z$Us6$X'$fJ>X$fJ>X$ie8$kernel32.dll$ntdll.dll$uB$yJgF$}kW8$}kW8
                          • API String ID: 3720985882-2877712817
                          • Opcode ID: c9aec5adf0c128b8d7f31c835da79109fde9b656fac9dbce0f2494faad3f9c1e
                          • Instruction ID: 782d1d3a3685d00b5185e8d74407a8a87eb4241dafcfe487eb277ab967827055
                          • Opcode Fuzzy Hash: c9aec5adf0c128b8d7f31c835da79109fde9b656fac9dbce0f2494faad3f9c1e
                          • Instruction Fuzzy Hash: FE341272B50215CFCB25CE2EC9843DABBF1AB5B351F104385D919ABBA1C7369E958F00
                          Function 6CF51230 Relevance: 63.6, APIs: 15, Strings: 18, Instructions: 5829filememoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: Handle$CloseFileModule$ProtectVirtual$Create$ChangeCurrentFindInformationMappingNameNotificationProcessView
                          • String ID: )[K{$:Ozj$>kcn$@$Gfp}$J2#"$J2#"$MAM$R0*V$R0*V$g'[$g'[$r[]$v9r$wT?Q$D$s$`49$r>3
                          • API String ID: 3270589029-3267666716
                          • Opcode ID: c75e289b82cde051ddebbcd32badc40ec29a5fd06bdabe270a7f093bb68f2ffb
                          • Instruction ID: 2f8e5fc55c01b83f677e648d7ce5a8d387aa2429644abdf130ea5d1ae512d049
                          • Opcode Fuzzy Hash: c75e289b82cde051ddebbcd32badc40ec29a5fd06bdabe270a7f093bb68f2ffb
                          • Instruction Fuzzy Hash: C9A34832E15315CFDB14CF3CC9843DAB7F2AB63310F61925AD61997A98C7369A988F01
                          Function 6CF575A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254librarynativeloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3216 6cf575a0-6cf575ca GetModuleHandleW 3217 6cf575d1-6cf575dc 3216->3217 3218 6cf577c6-6cf577d4 3217->3218 3219 6cf575e2-6cf575ef 3217->3219 3221 6cf57971 3218->3221 3222 6cf577e5-6cf57826 3219->3222 3223 6cf575f5-6cf57602 3219->3223 3221->3217 3222->3221 3225 6cf57944-6cf5795d call 6cf65780 3223->3225 3226 6cf57608-6cf57615 3223->3226 3229 6cf5777b-6cf57791 3226->3229 3230 6cf5761b-6cf57628 3226->3230 3229->3221 3233 6cf5762e-6cf5763b 3230->3233 3234 6cf577d9-6cf577e0 3230->3234 3236 6cf576f6-6cf57776 GetProcAddress call 6cf66380 NtQueryInformationProcess 3233->3236 3237 6cf57641-6cf5764e 3233->3237 3234->3221 3236->3221 3240 6cf57654-6cf57661 3237->3240 3241 6cf57877-6cf5787e 3237->3241 3244 6cf57667-6cf57674 3240->3244 3245 6cf57883-6cf578f1 3240->3245 3241->3221 3247 6cf577a8-6cf577b5 3244->3247 3248 6cf5767a-6cf57687 3244->3248 3245->3221 3247->3221 3250 6cf5768d-6cf5769a 3248->3250 3251 6cf5795e-6cf57965 3248->3251 3253 6cf578f6-6cf5793f 3250->3253 3254 6cf576a0-6cf576ad 3250->3254 3251->3221 3253->3221 3256 6cf57796-6cf577a3 3254->3256 3257 6cf576b3-6cf576c0 3254->3257 3256->3221 3259 6cf576c6-6cf576d3 3257->3259 3260 6cf5796a 3257->3260 3262 6cf576d9-6cf576e6 3259->3262 3263 6cf5782b-6cf57872 3259->3263 3260->3221 3265 6cf576ec-6cf576f1 3262->3265 3266 6cf577ba-6cf577c1 3262->3266 3263->3221 3265->3221 3266->3221
                          APIs
                          • GetModuleHandleW.KERNEL32 ref: 6CF575BE
                          • GetProcAddress.KERNEL32 ref: 6CF57706
                          • NtQueryInformationProcess.NTDLL ref: 6CF5775F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleInformationModuleProcProcessQuery
                          • String ID: NtQueryInformationProcess$ntdll.dll
                          • API String ID: 3384173408-2906145389
                          • Opcode ID: b6540ca62ab171a552cabd81545f60ae4d0cfd16363b20e488ea7078eb4e18e9
                          • Instruction ID: c1a2e2325861b9a1ddead978eb54b0b48176afe2139c6c4132fb337210a76505
                          • Opcode Fuzzy Hash: b6540ca62ab171a552cabd81545f60ae4d0cfd16363b20e488ea7078eb4e18e9
                          • Instruction Fuzzy Hash: EE91EFB2A69204CFCB00CFBCD5847DEBBF1EB56384F90811BD915EBB94C635991A8B41
                          Function 017B24E7 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3294 17b24e7-17b24ee 3295 17b24f1-17b24f2 3294->3295 3296 17b24f0 3294->3296 3297 17b24f5-17b24f6 3295->3297 3298 17b24f4 3295->3298 3296->3295 3299 17b24f9-17b24fe 3297->3299 3300 17b24f8 3297->3300 3298->3297 3301 17b2501-17b2502 3299->3301 3302 17b2500 3299->3302 3300->3299 3303 17b2505-17b2506 3301->3303 3304 17b2504 3301->3304 3302->3301 3305 17b2509-17b2540 3303->3305 3306 17b2508 3303->3306 3304->3303 3308 17b2548 3305->3308 3306->3305 3309 17b254d-17b2562 3308->3309 3310 17b27aa-17b27b1 3309->3310 3311 17b2568 3309->3311 3311->3308 3311->3310 3312 17b25ff-17b2605 3311->3312 3313 17b257e-17b258a 3311->3313 3314 17b265c-17b2668 3311->3314 3315 17b25b7-17b25c1 3311->3315 3316 17b2694-17b2697 3311->3316 3317 17b26aa-17b26b0 3311->3317 3318 17b25e9-17b25ec 3311->3318 3319 17b256f-17b257c 3311->3319 3320 17b266d-17b267d 3311->3320 3321 17b258c-17b25a2 3311->3321 3322 17b2763-17b2769 3311->3322 3323 17b25c3-17b25c9 3311->3323 3324 17b26c3-17b26c9 3311->3324 3325 17b26e3-17b2702 3311->3325 3326 17b2682-17b268f 3311->3326 3327 17b2722-17b272b 3311->3327 3328 17b2620-17b2626 3311->3328 3329 17b2707-17b271d 3311->3329 3330 17b2785-17b2792 call 17b28e1 3311->3330 3331 17b25a4-17b25a7 3311->3331 3335 17b27b4-17b27be 3312->3335 3343 17b260b-17b261b 3312->3343 3313->3309 3314->3309 3315->3309 3345 17b2699-17b269e 3316->3345 3346 17b26a0 3316->3346 3332 17b26b9 3317->3332 3333 17b26b2-17b26b7 3317->3333 3339 17b25ee-17b25f3 3318->3339 3340 17b25f5 3318->3340 3319->3309 3320->3309 3321->3309 3322->3335 3342 17b276b-17b2780 3322->3342 3323->3335 3338 17b25cf-17b25e4 3323->3338 3334 17b26cf-17b26de 3324->3334 3324->3335 3325->3309 3326->3309 3327->3335 3341 17b2731-17b2744 3327->3341 3328->3335 3344 17b262c-17b263c 3328->3344 3329->3309 3355 17b2798-17b27a5 3330->3355 3336 17b25a9-17b25ae 3331->3336 3337 17b25b0 3331->3337 3348 17b26be 3332->3348 3333->3348 3334->3309 3351 17b25b5 3336->3351 3337->3351 3338->3309 3353 17b25fa 3339->3353 3340->3353 3341->3335 3354 17b2746-17b275e 3341->3354 3342->3309 3343->3309 3344->3335 3356 17b2642-17b2657 3344->3356 3347 17b26a5 3345->3347 3346->3347 3347->3309 3348->3309 3351->3309 3353->3309 3354->3309 3355->3309 3356->3309
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: d+cJ$qKp$)uP
                          • API String ID: 0-3434847562
                          • Opcode ID: 4acd9522385bedcd897c4e35de7ae4e7463a602dc369e3d671a802648bc01cbe
                          • Instruction ID: ac1e3f4c1a23972c7a538d69d188be30fb3f85891b922cbfabda811191f1d837
                          • Opcode Fuzzy Hash: 4acd9522385bedcd897c4e35de7ae4e7463a602dc369e3d671a802648bc01cbe
                          • Instruction Fuzzy Hash: 0E81CCB1606211CFDB15CF28C9E4AA6FBB1BF55300BB684E6D5228B6A7C330F950CB55
                          Function 017B2528 Relevance: 3.9, Strings: 3, Instructions: 176COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3415 17b2528-17b2540 3416 17b2548 3415->3416 3417 17b254d-17b2562 3416->3417 3418 17b27aa-17b27b1 3417->3418 3419 17b2568 3417->3419 3419->3416 3419->3418 3420 17b25ff-17b2605 3419->3420 3421 17b257e-17b258a 3419->3421 3422 17b265c-17b2668 3419->3422 3423 17b25b7-17b25c1 3419->3423 3424 17b2694-17b2697 3419->3424 3425 17b26aa-17b26b0 3419->3425 3426 17b25e9-17b25ec 3419->3426 3427 17b256f-17b257c 3419->3427 3428 17b266d-17b267d 3419->3428 3429 17b258c-17b25a2 3419->3429 3430 17b2763-17b2769 3419->3430 3431 17b25c3-17b25c9 3419->3431 3432 17b26c3-17b26c9 3419->3432 3433 17b26e3-17b2702 3419->3433 3434 17b2682-17b268f 3419->3434 3435 17b2722-17b272b 3419->3435 3436 17b2620-17b2626 3419->3436 3437 17b2707-17b271d 3419->3437 3438 17b2785-17b2792 call 17b28e1 3419->3438 3439 17b25a4-17b25a7 3419->3439 3443 17b27b4-17b27be 3420->3443 3451 17b260b-17b261b 3420->3451 3421->3417 3422->3417 3423->3417 3453 17b2699-17b269e 3424->3453 3454 17b26a0 3424->3454 3440 17b26b9 3425->3440 3441 17b26b2-17b26b7 3425->3441 3447 17b25ee-17b25f3 3426->3447 3448 17b25f5 3426->3448 3427->3417 3428->3417 3429->3417 3430->3443 3450 17b276b-17b2780 3430->3450 3431->3443 3446 17b25cf-17b25e4 3431->3446 3442 17b26cf-17b26de 3432->3442 3432->3443 3433->3417 3434->3417 3435->3443 3449 17b2731-17b2744 3435->3449 3436->3443 3452 17b262c-17b263c 3436->3452 3437->3417 3463 17b2798-17b27a5 3438->3463 3444 17b25a9-17b25ae 3439->3444 3445 17b25b0 3439->3445 3456 17b26be 3440->3456 3441->3456 3442->3417 3459 17b25b5 3444->3459 3445->3459 3446->3417 3461 17b25fa 3447->3461 3448->3461 3449->3443 3462 17b2746-17b275e 3449->3462 3450->3417 3451->3417 3452->3443 3464 17b2642-17b2657 3452->3464 3455 17b26a5 3453->3455 3454->3455 3455->3417 3456->3417 3459->3417 3461->3417 3462->3417 3463->3417 3464->3417
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: d+cJ$qKp$)uP
                          • API String ID: 0-3434847562
                          • Opcode ID: 156e83e6e2411e355c0dfefb4d55ea89cc714ca83ebce007379630128788a4b6
                          • Instruction ID: 9609539fdd43d7442e95ed68feb20107603c0f664a2d8103370a28816a8a28ce
                          • Opcode Fuzzy Hash: 156e83e6e2411e355c0dfefb4d55ea89cc714ca83ebce007379630128788a4b6
                          • Instruction Fuzzy Hash: 0761D2B0606211CFD708CF68C9E46A6F7A1BF15300BB284A6D2229F2A6C730FD51CB95
                          Function 017B2518 Relevance: 3.9, Strings: 3, Instructions: 176COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3361 17b2518-17b2540 3362 17b2548 3361->3362 3363 17b254d-17b2562 3362->3363 3364 17b27aa-17b27b1 3363->3364 3365 17b2568 3363->3365 3365->3362 3365->3364 3366 17b25ff-17b2605 3365->3366 3367 17b257e-17b258a 3365->3367 3368 17b265c-17b2668 3365->3368 3369 17b25b7-17b25c1 3365->3369 3370 17b2694-17b2697 3365->3370 3371 17b26aa-17b26b0 3365->3371 3372 17b25e9-17b25ec 3365->3372 3373 17b256f-17b257c 3365->3373 3374 17b266d-17b267d 3365->3374 3375 17b258c-17b25a2 3365->3375 3376 17b2763-17b2769 3365->3376 3377 17b25c3-17b25c9 3365->3377 3378 17b26c3-17b26c9 3365->3378 3379 17b26e3-17b2702 3365->3379 3380 17b2682-17b268f 3365->3380 3381 17b2722-17b272b 3365->3381 3382 17b2620-17b2626 3365->3382 3383 17b2707-17b271d 3365->3383 3384 17b2785-17b2792 call 17b28e1 3365->3384 3385 17b25a4-17b25a7 3365->3385 3389 17b27b4-17b27be 3366->3389 3397 17b260b-17b261b 3366->3397 3367->3363 3368->3363 3369->3363 3399 17b2699-17b269e 3370->3399 3400 17b26a0 3370->3400 3386 17b26b9 3371->3386 3387 17b26b2-17b26b7 3371->3387 3393 17b25ee-17b25f3 3372->3393 3394 17b25f5 3372->3394 3373->3363 3374->3363 3375->3363 3376->3389 3396 17b276b-17b2780 3376->3396 3377->3389 3392 17b25cf-17b25e4 3377->3392 3388 17b26cf-17b26de 3378->3388 3378->3389 3379->3363 3380->3363 3381->3389 3395 17b2731-17b2744 3381->3395 3382->3389 3398 17b262c-17b263c 3382->3398 3383->3363 3409 17b2798-17b27a5 3384->3409 3390 17b25a9-17b25ae 3385->3390 3391 17b25b0 3385->3391 3402 17b26be 3386->3402 3387->3402 3388->3363 3405 17b25b5 3390->3405 3391->3405 3392->3363 3407 17b25fa 3393->3407 3394->3407 3395->3389 3408 17b2746-17b275e 3395->3408 3396->3363 3397->3363 3398->3389 3410 17b2642-17b2657 3398->3410 3401 17b26a5 3399->3401 3400->3401 3401->3363 3402->3363 3405->3363 3407->3363 3408->3363 3409->3363 3410->3363
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: d+cJ$qKp$)uP
                          • API String ID: 0-3434847562
                          • Opcode ID: 397f6fe98ed114074495707eea712d53282a168ef4d6e2c06731ee68aac220ba
                          • Instruction ID: 07a14bcec6070b51f47e70e0f60d4db8e636e657ef8551e424c388f3b0898700
                          • Opcode Fuzzy Hash: 397f6fe98ed114074495707eea712d53282a168ef4d6e2c06731ee68aac220ba
                          • Instruction Fuzzy Hash: 8A61E0B0606201CFD708CF24C9E4AA6FBB1BF55300BB284A6D2228F2A6C330FD51CB55
                          Function 017B1053 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3532 17b1053-17b109d call 17b00e4 3536 17b10a2 3532->3536 3537 17b10a7-17b10bc 3536->3537 3538 17b11f8-17b1241 call 17b00f4 3537->3538 3539 17b10c2 3537->3539 3569 17b1243 call 17b22da 3538->3569 3570 17b1243 call 17b1bd9 3538->3570 3571 17b1243 call 17b21b5 3538->3571 3539->3536 3539->3538 3540 17b10d9-17b10f2 3539->3540 3541 17b1158-17b1163 3539->3541 3542 17b11d7-17b11f3 3539->3542 3543 17b1136-17b1153 3539->3543 3544 17b10f4-17b1104 3539->3544 3545 17b10c9-17b10d7 3539->3545 3546 17b11a9-17b11bb 3539->3546 3547 17b1168-17b1176 call 17b1290 3539->3547 3548 17b118c-17b1193 call 17b1575 3539->3548 3549 17b11c0-17b11c4 3539->3549 3550 17b1106-17b1131 3539->3550 3540->3537 3541->3537 3542->3537 3543->3537 3544->3537 3545->3537 3546->3537 3562 17b117c-17b1187 3547->3562 3556 17b1199-17b11a4 3548->3556 3552 17b11cd 3549->3552 3553 17b11c6-17b11cb 3549->3553 3550->3537 3559 17b11d2 3552->3559 3553->3559 3556->3537 3559->3537 3562->3537 3566 17b1249-17b1252 3569->3566 3570->3566 3571->3566
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: Te^q$Te^q
                          • API String ID: 0-3743469327
                          • Opcode ID: 9c743bbef2f74d1ce68f3de0d2b75057383f1e3009a2634909154dbc0a9a45ab
                          • Instruction ID: 3cd381bbb32c6c70dfc0f53f6befd4923e804e24f7efbbc0408040a824989408
                          • Opcode Fuzzy Hash: 9c743bbef2f74d1ce68f3de0d2b75057383f1e3009a2634909154dbc0a9a45ab
                          • Instruction Fuzzy Hash: 4351D531F141558FCB088B6998A46AEFBF6FF85705F1184AAD402EB3A5CB358D05CBA1
                          Function 017B1070 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3572 17b1070-17b109d call 17b00e4 3575 17b10a2 3572->3575 3576 17b10a7-17b10bc 3575->3576 3577 17b11f8-17b1241 call 17b00f4 3576->3577 3578 17b10c2 3576->3578 3608 17b1243 call 17b22da 3577->3608 3609 17b1243 call 17b1bd9 3577->3609 3610 17b1243 call 17b21b5 3577->3610 3578->3575 3578->3577 3579 17b10d9-17b10f2 3578->3579 3580 17b1158-17b1163 3578->3580 3581 17b11d7-17b11f3 3578->3581 3582 17b1136-17b1153 3578->3582 3583 17b10f4-17b1104 3578->3583 3584 17b10c9-17b10d7 3578->3584 3585 17b11a9-17b11bb 3578->3585 3586 17b1168-17b1176 call 17b1290 3578->3586 3587 17b118c-17b1193 call 17b1575 3578->3587 3588 17b11c0-17b11c4 3578->3588 3589 17b1106-17b1131 3578->3589 3579->3576 3580->3576 3581->3576 3582->3576 3583->3576 3584->3576 3585->3576 3601 17b117c-17b1187 3586->3601 3595 17b1199-17b11a4 3587->3595 3591 17b11cd 3588->3591 3592 17b11c6-17b11cb 3588->3592 3589->3576 3598 17b11d2 3591->3598 3592->3598 3595->3576 3598->3576 3601->3576 3605 17b1249-17b1252 3608->3605 3609->3605 3610->3605
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: Te^q$Te^q
                          • API String ID: 0-3743469327
                          • Opcode ID: 96ad75f1565fbfd814ba3d6f6e3f1379b62a2553cd7dcfd5bc88baf51014aa52
                          • Instruction ID: 55c0bbc8b0ec3c9b8229ffcf48eee9cc292ce4e8d45f09ff58a94bb9423ee467
                          • Opcode Fuzzy Hash: 96ad75f1565fbfd814ba3d6f6e3f1379b62a2553cd7dcfd5bc88baf51014aa52
                          • Instruction Fuzzy Hash: CB51D531F101558FCB08CB69D994AAEFAF6FBC9705F50846AD506EB364CB319D00CBA1
                          Function 0AF04748 Relevance: 1.7, Strings: 1, Instructions: 448COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3611 af04748-af0476f 3612 af04775 3611->3612 3613 af0477a-af0478f 3612->3613 3614 af04795 3613->3614 3615 af04afe-af04b08 3613->3615 3614->3612 3614->3615 3616 af04a10-af04a26 3614->3616 3617 af049d2-af049e0 3614->3617 3618 af04a95-af04aa0 3614->3618 3619 af04816-af0483c 3614->3619 3620 af0489a-af048a8 3614->3620 3621 af049bb-af049bf 3614->3621 3622 af0487b-af0487f 3614->3622 3623 af048db-af048f1 3614->3623 3624 af0479c-af047ad 3614->3624 3625 af047fe-af04811 3614->3625 3626 af04a80-af04a90 3614->3626 3627 af04841-af04848 3614->3627 3628 af04864-af04868 3614->3628 3629 af04aa5-af04ab3 3614->3629 3630 af048c8-af048d6 3614->3630 3631 af0494b-af04961 3614->3631 3632 af047af-af047ba 3614->3632 3636 af04b09-af04b84 3616->3636 3646 af04a2c-af04a34 3616->3646 3639 af049e2 3617->3639 3640 af049e5-af04a0b 3617->3640 3618->3613 3619->3613 3647 af048aa 3620->3647 3648 af048ad-af048c3 3620->3648 3637 af049c1-af049c6 3621->3637 3638 af049c8 3621->3638 3644 af04881-af04886 3622->3644 3645 af04888 3622->3645 3623->3636 3651 af048f7-af048ff 3623->3651 3624->3613 3625->3613 3626->3613 3627->3636 3641 af0484e-af0485f 3627->3641 3642 af04871 3628->3642 3643 af0486a-af0486f 3628->3643 3649 af04ab5-af04ab8 3629->3649 3650 af04aba 3629->3650 3630->3613 3635 af04967-af0496f 3631->3635 3631->3636 3633 af047c9-af047f9 3632->3633 3634 af047bc-af047bf 3632->3634 3633->3613 3634->3633 3635->3636 3652 af04975-af04985 3635->3652 3669 af04b86 3636->3669 3653 af049cd 3637->3653 3638->3653 3639->3640 3640->3613 3641->3613 3655 af04876 3642->3655 3643->3655 3656 af0488d-af04895 3644->3656 3645->3656 3646->3636 3657 af04a3a-af04a47 3646->3657 3647->3648 3648->3613 3658 af04abc-af04af9 3649->3658 3650->3658 3651->3636 3659 af04905-af04912 3651->3659 3652->3636 3660 af0498b-af04998 3652->3660 3653->3613 3655->3613 3656->3613 3657->3636 3664 af04a4d-af04a5d 3657->3664 3658->3613 3659->3636 3666 af04918-af04928 3659->3666 3660->3636 3668 af0499e-af049b6 3660->3668 3664->3636 3670 af04a63-af04a7b 3664->3670 3666->3636 3667 af0492e-af04946 3666->3667 3667->3613 3668->3613 3673 af04b8b-af04ba0 3669->3673 3670->3613 3676 af04ba6 3673->3676 3677 af04d9c-af04da3 3673->3677 3676->3669 3676->3677 3678 af04cb0-af04cbb 3676->3678 3679 af04c91-af04c95 3676->3679 3680 af04d75-af04d80 3676->3680 3681 af04d18-af04d23 3676->3681 3682 af04cfb-af04d13 3676->3682 3683 af04c5d-af04c62 3676->3683 3684 af04bdf-af04beb 3676->3684 3685 af04cdf 3676->3685 3686 af04cc0-af04cc4 3676->3686 3687 af04c81-af04c8c 3676->3687 3688 af04d85-af04d87 call af05508 3676->3688 3689 af04c67-af04c7c 3676->3689 3690 af04bc7-af04bdd 3676->3690 3691 af04d28-af04d2e 3676->3691 3692 af04d4a-af04d70 call af04388 3676->3692 3693 af04bad-af04bb3 call af05178 3676->3693 3694 af04c0f-af04c2b 3676->3694 3678->3673 3697 af04c97-af04c9c 3679->3697 3698 af04c9e 3679->3698 3680->3673 3681->3673 3682->3673 3683->3673 3714 af04bf3-af04c0a 3684->3714 3708 af04ceb-af04cf6 3685->3708 3699 af04cc6-af04ccb 3686->3699 3700 af04ccd 3686->3700 3687->3673 3702 af04d8c-af04d97 3688->3702 3689->3673 3690->3673 3710 af04d3a-af04d45 3691->3710 3692->3673 3705 af04bb8-af04bc5 3693->3705 3718 af04c43-af04c4b call af053b8 3694->3718 3719 af04c2d-af04c33 3694->3719 3704 af04ca3-af04cab 3697->3704 3698->3704 3706 af04cd2-af04cda 3699->3706 3700->3706 3702->3673 3704->3673 3705->3673 3706->3673 3708->3673 3710->3673 3714->3673 3722 af04c4d-af04c58 3718->3722 3720 af04c35 3719->3720 3721 af04c37-af04c39 3719->3721 3720->3718 3721->3718 3722->3673
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1684970669.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_aef0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: rbfM
                          • API String ID: 0-2431342921
                          • Opcode ID: d97b5fa6c65fa0bb0f6cb196c6f6edfc59f4c13f0c34373bb0b01cf262c77d6f
                          • Instruction ID: 0dd4fae3a14755a1062ee3a93b5078e3ee906cafd9ba5be5b2a209bda03467a2
                          • Opcode Fuzzy Hash: d97b5fa6c65fa0bb0f6cb196c6f6edfc59f4c13f0c34373bb0b01cf262c77d6f
                          • Instruction Fuzzy Hash: 8DF14571B043159BC728CF79C991A7EFFE6ABC5202B54892AD582DB2E5C730ED01DB80
                          Function 017B08DF Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3740 17b08df-17b08e0 3741 17b089c-17b08a1 3740->3741 3742 17b08e2-17b0900 3740->3742 3743 17b0863-17b087f 3741->3743 3751 17b0905-17b091a 3742->3751 3745 17b0888 3743->3745 3746 17b0881 3743->3746 3749 17b08a3-17b08a6 3745->3749 3746->3745 3747 17b088a 3746->3747 3748 17b085c 3746->3748 3746->3749 3777 17b088a call 17b3dc9 3747->3777 3778 17b088a call 17b3e59 3747->3778 3779 17b088a call 17b3d42 3747->3779 3780 17b088a call 17b3d50 3747->3780 3781 17b088a call 17b3cb0 3747->3781 3782 17b088a call 17b3d95 3747->3782 3783 17b088a call 17b3d74 3747->3783 3784 17b088a call 17b3d84 3747->3784 3748->3743 3753 17b0fa8-17b0fae 3751->3753 3754 17b0920 3751->3754 3752 17b0890-17b0897 3752->3741 3755 17b0c1d-17b0c21 3754->3755 3756 17b0972-17b0992 3754->3756 3757 17b0c91-17b0cb1 3754->3757 3758 17b0a10-17b0a17 3754->3758 3759 17b0997-17b099d 3754->3759 3760 17b09b7-17b09e0 3754->3760 3761 17b0a85-17b0a90 3754->3761 3762 17b0c44-17b0c4b 3754->3762 3768 17b0c2a 3755->3768 3769 17b0c23-17b0c28 3755->3769 3756->3751 3757->3751 3763 17b0faf 3758->3763 3767 17b0a1d-17b0a27 3758->3767 3765 17b099f-17b09a4 3759->3765 3766 17b09a6-17b09b2 3759->3766 3760->3751 3761->3751 3762->3763 3764 17b0c51-17b0c5b 3762->3764 3763->3763 3764->3763 3770 17b0c61-17b0c75 3764->3770 3765->3766 3766->3751 3767->3763 3776 17b0a2d-17b0a41 3767->3776 3771 17b0c2f 3768->3771 3769->3771 3770->3751 3771->3751 3776->3751 3777->3752 3778->3752 3779->3752 3780->3752 3781->3752 3782->3752 3783->3752 3784->3752
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: s]fN
                          • API String ID: 0-2657733947
                          • Opcode ID: 4c857a9980e07a581d2e79e3b1aee8d8618142fba082e452e4ab9a2c6ec83a39
                          • Instruction ID: f8ba85bd4a590f6d13513a975292e80ee6221521df3b7eba24136770abc9b885
                          • Opcode Fuzzy Hash: 4c857a9980e07a581d2e79e3b1aee8d8618142fba082e452e4ab9a2c6ec83a39
                          • Instruction Fuzzy Hash: 2E41AD30E11109CFD748CF6985846DFFBB2BB89210F25D4A6E459AB215D730CA418B85
                          Function 6CF658E8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3166 6cf658e8-6cf658fb call 6cf66140 3169 6cf65901-6cf65923 call 6cf65d30 3166->3169 3170 6cf658fd-6cf658ff 3166->3170 3174 6cf65925-6cf65968 call 6cf65dfb call 6cf65cb7 call 6cf66113 call 6cf6597d call 6cf65f9c call 6cf6598a 3169->3174 3175 6cf65990-6cf659a9 call 6cf65fca call 6cf66140 3169->3175 3171 6cf6596a-6cf65979 3170->3171 3174->3171 3186 6cf659ba-6cf659c1 3175->3186 3187 6cf659ab-6cf659b1 3175->3187 3190 6cf659c3-6cf659c6 3186->3190 3191 6cf659cd-6cf659e1 dllmain_raw 3186->3191 3187->3186 3189 6cf659b3-6cf659b5 3187->3189 3193 6cf65a93-6cf65aa2 3189->3193 3190->3191 3194 6cf659c8-6cf659cb 3190->3194 3196 6cf659e7-6cf659f8 dllmain_crt_dispatch 3191->3196 3197 6cf65a8a-6cf65a91 3191->3197 3198 6cf659fe-6cf65a10 call 6cf650e0 3194->3198 3196->3197 3196->3198 3197->3193 3205 6cf65a12-6cf65a14 3198->3205 3206 6cf65a39-6cf65a3b 3198->3206 3205->3206 3209 6cf65a16-6cf65a34 call 6cf650e0 call 6cf658e8 dllmain_raw 3205->3209 3207 6cf65a42-6cf65a53 dllmain_crt_dispatch 3206->3207 3208 6cf65a3d-6cf65a40 3206->3208 3207->3197 3210 6cf65a55-6cf65a87 dllmain_raw 3207->3210 3208->3197 3208->3207 3209->3206 3210->3197
                          APIs
                          • __RTC_Initialize.LIBCMT ref: 6CF6592F
                          • ___scrt_uninitialize_crt.LIBCMT ref: 6CF65949
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: Initialize___scrt_uninitialize_crt
                          • String ID:
                          • API String ID: 2442719207-0
                          • Opcode ID: ad762d879a7154107691d578b78aa569cf4cb12a7fc2eb7317b4a7641022bf8a
                          • Instruction ID: b83c2079982723c5dabe011de6ea08f5861dd3bc929ca87f730c759f161ab994
                          • Opcode Fuzzy Hash: ad762d879a7154107691d578b78aa569cf4cb12a7fc2eb7317b4a7641022bf8a
                          • Instruction Fuzzy Hash: FC41D572E05629AFDB118F57C880B9F7AB5EB417A8F11411AE815B7F82C7318D458BA0
                          Function 6CF65998 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3268 6cf65998-6cf659a9 call 6cf66140 3271 6cf659ba-6cf659c1 3268->3271 3272 6cf659ab-6cf659b1 3268->3272 3274 6cf659c3-6cf659c6 3271->3274 3275 6cf659cd-6cf659e1 dllmain_raw 3271->3275 3272->3271 3273 6cf659b3-6cf659b5 3272->3273 3276 6cf65a93-6cf65aa2 3273->3276 3274->3275 3277 6cf659c8-6cf659cb 3274->3277 3278 6cf659e7-6cf659f8 dllmain_crt_dispatch 3275->3278 3279 6cf65a8a-6cf65a91 3275->3279 3280 6cf659fe-6cf65a10 call 6cf650e0 3277->3280 3278->3279 3278->3280 3279->3276 3283 6cf65a12-6cf65a14 3280->3283 3284 6cf65a39-6cf65a3b 3280->3284 3283->3284 3287 6cf65a16-6cf65a34 call 6cf650e0 call 6cf658e8 dllmain_raw 3283->3287 3285 6cf65a42-6cf65a53 dllmain_crt_dispatch 3284->3285 3286 6cf65a3d-6cf65a40 3284->3286 3285->3279 3288 6cf65a55-6cf65a87 dllmain_raw 3285->3288 3286->3279 3286->3285 3287->3284 3288->3279
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: dllmain_raw$dllmain_crt_dispatch
                          • String ID:
                          • API String ID: 3136044242-0
                          • Opcode ID: fa5c9d97af155aa6e43e6f69fb0deb653bd71a76411c6838cb440a6dbbef8d69
                          • Instruction ID: 2322c133840d40fce1b09b50ec250bd57a353ecf5810d4a2ac6a7e2e2bb9d221
                          • Opcode Fuzzy Hash: fa5c9d97af155aa6e43e6f69fb0deb653bd71a76411c6838cb440a6dbbef8d69
                          • Instruction Fuzzy Hash: D621B272D01629AFDB258F57CC80AAF3A79EB81BA8F114125F8157BF52C7318D018BE0
                          Function 6CF657E1 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3469 6cf657e1-6cf657ef call 6cf66140 call 6cf65e2b 3473 6cf657f4-6cf657f7 3469->3473 3474 6cf658ce 3473->3474 3475 6cf657fd-6cf65815 call 6cf65d30 3473->3475 3477 6cf658d0-6cf658df 3474->3477 3479 6cf658e0-6cf658e7 call 6cf65fca 3475->3479 3480 6cf6581b-6cf6582c call 6cf65d8d 3475->3480 3485 6cf6582e-6cf65850 call 6cf660e7 call 6cf65cab call 6cf65ccf call 6cf687a7 3480->3485 3486 6cf6587b-6cf65889 call 6cf658c4 3480->3486 3485->3486 3505 6cf65852-6cf65859 call 6cf65d62 3485->3505 3486->3474 3491 6cf6588b-6cf65895 call 6cf65fc4 3486->3491 3497 6cf658b6-6cf658bf 3491->3497 3498 6cf65897-6cf658a0 call 6cf65eeb 3491->3498 3497->3477 3498->3497 3504 6cf658a2-6cf658b4 3498->3504 3504->3497 3505->3486 3509 6cf6585b-6cf65878 call 6cf6877c 3505->3509 3509->3486
                          APIs
                          • __RTC_Initialize.LIBCMT ref: 6CF6582E
                            • Part of subcall function 6CF65CAB: InitializeSListHead.KERNEL32(6CFC4020,6CF65838,6CF77A90,00000010,6CF657C9,?,?,?,6CF659F1,?,00000001,?,?,00000001,?,6CF77AD8), ref: 6CF65CB0
                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF65898
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                          • String ID:
                          • API String ID: 3231365870-0
                          • Opcode ID: 0039e73227207b6cd40d0130d85abb5ea6ebbfc42062b2b7378496395eb68d95
                          • Instruction ID: 75e5eb858806b8e69dbdc46dd696eb7678bd007476d89cf86d76a3260538e8f7
                          • Opcode Fuzzy Hash: 0039e73227207b6cd40d0130d85abb5ea6ebbfc42062b2b7378496395eb68d95
                          • Instruction Fuzzy Hash: 35210532A893019ADF11ABB7D8043DE37B1AF062ADF21045AD48077FC3DB624549C661
                          Function 6CF6BE0C Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3512 6cf6be0c-6cf6be11 3513 6cf6be13-6cf6be2b 3512->3513 3514 6cf6be2d-6cf6be31 3513->3514 3515 6cf6be39-6cf6be42 3513->3515 3514->3515 3516 6cf6be33-6cf6be37 3514->3516 3517 6cf6be54 3515->3517 3518 6cf6be44-6cf6be47 3515->3518 3519 6cf6beae-6cf6beb2 3516->3519 3522 6cf6be56-6cf6be63 GetStdHandle 3517->3522 3520 6cf6be50-6cf6be52 3518->3520 3521 6cf6be49-6cf6be4e 3518->3521 3519->3513 3523 6cf6beb8-6cf6bebb 3519->3523 3520->3522 3521->3522 3524 6cf6be65-6cf6be67 3522->3524 3525 6cf6be90-6cf6bea2 3522->3525 3524->3525 3527 6cf6be69-6cf6be72 GetFileType 3524->3527 3525->3519 3526 6cf6bea4-6cf6bea7 3525->3526 3526->3519 3527->3525 3528 6cf6be74-6cf6be7d 3527->3528 3529 6cf6be85-6cf6be88 3528->3529 3530 6cf6be7f-6cf6be83 3528->3530 3529->3519 3531 6cf6be8a-6cf6be8e 3529->3531 3530->3519 3531->3519
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 6CF6BE58
                          • GetFileType.KERNELBASE(00000000), ref: 6CF6BE6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileHandleType
                          • String ID:
                          • API String ID: 3000768030-0
                          • Opcode ID: 9e3f4de4255df6e68ac528b05ea3c5a8c0ddba22fff3a3629edd02fb18456890
                          • Instruction ID: 1d24275f6981a113a4ff0d5a9b2c86376e0a8261f7ea96c0686c7dd57554a0b6
                          • Opcode Fuzzy Hash: 9e3f4de4255df6e68ac528b05ea3c5a8c0ddba22fff3a3629edd02fb18456890
                          • Instruction Fuzzy Hash: 2C11B772614B5146C7304E3F88957937AA5A767234B340F1AF3B686DE2C730D545E245
                          Function 0AF05178 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3726 af05178-af051c2 3728 af051c4-af051c7 3726->3728 3729 af051ca-af051f5 LoadLibraryW 3726->3729 3728->3729 3730 af051f7-af051fd 3729->3730 3731 af051fe-af0521b 3729->3731 3730->3731
                          APIs
                          • LoadLibraryW.KERNELBASE(00000000), ref: 0AF051E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1684970669.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_aef0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: dd5a6bebd61307e07cf775a2980a5edc555aeb206504e99c65db9190b5a51f5b
                          • Instruction ID: 31665d123e3fdec405d3ff67ba78dc0d864e894903332f8d91f956406df6a56a
                          • Opcode Fuzzy Hash: dd5a6bebd61307e07cf775a2980a5edc555aeb206504e99c65db9190b5a51f5b
                          • Instruction Fuzzy Hash: 6D1123B1D0061A9BCB10CF9AD944B9EFBF4FF48320F10852AD819B7250C774A940CFA5
                          Function 0AF05508 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3734 af05508-af05574 FindCloseChangeNotification 3736 af05576-af0557c 3734->3736 3737 af0557d-af055a5 3734->3737 3736->3737
                          APIs
                          • FindCloseChangeNotification.KERNELBASE ref: 0AF05567
                          Memory Dump Source
                          • Source File: 00000000.00000002.1684970669.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_aef0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 3ca1b46b37e7e261dee844e9966420591ec6292c16cea11f1c90e01808f5b2e5
                          • Instruction ID: d0cb0cba0cda499d2cb55ce4bc02ccef4662dc47b9cb2ba86f081dd242b20450
                          • Opcode Fuzzy Hash: 3ca1b46b37e7e261dee844e9966420591ec6292c16cea11f1c90e01808f5b2e5
                          • Instruction Fuzzy Hash: 731136B1800349CFCB20DF9AD444BEEBBF4EF48324F24842AD558A7250D779A944CFA5
                          Function 017B1778 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 3785 17b1778-17b1795 3786 17b17ed-17b17f5 3785->3786 3787 17b1797 3785->3787 3788 17b179c-17b17b1 3786->3788 3787->3788 3789 17b17b3 3788->3789 3790 17b17f7-17b1800 3788->3790 3789->3786 3789->3787 3789->3790 3791 17b17db-17b17eb 3789->3791 3792 17b17ba-17b17bc 3789->3792 3791->3788 3793 17b17c6-17b17d9 3792->3793 3793->3788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: LyIS
                          • API String ID: 0-2021629764
                          • Opcode ID: 670865dc6fb5edcb61a7fcf89a64381896cc7dfe0e5bd819c3b576467dc4a9f4
                          • Instruction ID: a11cc0222355818ed16656c9250a72b69f517768c5fd1714251ba7683719e6b4
                          • Opcode Fuzzy Hash: 670865dc6fb5edcb61a7fcf89a64381896cc7dfe0e5bd819c3b576467dc4a9f4
                          • Instruction Fuzzy Hash: 4501F772B192155FD7588E7AA9901A2FBA6FBC6260364C17BC508CB351CB309916CB91
                          Function 017B0838 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: s]fN
                          • API String ID: 0-2657733947
                          • Opcode ID: 130aaddb986e54351ecd389e6a6d33649ce4ffa93a97454fe48ae1c350bd608c
                          • Instruction ID: ca7de5406313a65883a1f832f807591e1e01141e1774487da7f370d44355542d
                          • Opcode Fuzzy Hash: 130aaddb986e54351ecd389e6a6d33649ce4ffa93a97454fe48ae1c350bd608c
                          • Instruction Fuzzy Hash: DAF0AF74D14208EFCB84CFB4D98929EBFF1EB59210F24D5A6D905D7214E7309B518B80
                          Function 017B0848 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: s]fN
                          • API String ID: 0-2657733947
                          • Opcode ID: 8ef0c0d2220c62e9ad7f45ca69954838f1987fa39c057e81ff14346aad957915
                          • Instruction ID: b5b12b676d189f7bd75271ad94c90a06eb768aadad454b182255c31ccf11c4c3
                          • Opcode Fuzzy Hash: 8ef0c0d2220c62e9ad7f45ca69954838f1987fa39c057e81ff14346aad957915
                          • Instruction Fuzzy Hash: 20F05E74E14209EFDB84CFB5998828EFBF2FB85205F20C5A5E905D7208E7309B518B90
                          Function 017B1290 Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bba4dc6dd7811fb29763385881723380170f469d78135844f3f6eaa0e760fb34
                          • Instruction ID: c8fbf6f11d4a99c46d2f2c9118e2a7b701af19d3317f2d2ba3b60cdce198ee8e
                          • Opcode Fuzzy Hash: bba4dc6dd7811fb29763385881723380170f469d78135844f3f6eaa0e760fb34
                          • Instruction Fuzzy Hash: 9F51C670A101069FD704EB68DD6069EB767FB80310B50C729D10B8BB69DB34ED9AC7D6
                          Function 017B1575 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 509334322fcfe371d9876c30616b17b3d2a6f5a3f0c8caab9042533217e82881
                          • Instruction ID: 062062ae86319f69bdcd036356fd13631079e51d4cc0c6f7db16498ad9df41b6
                          • Opcode Fuzzy Hash: 509334322fcfe371d9876c30616b17b3d2a6f5a3f0c8caab9042533217e82881
                          • Instruction Fuzzy Hash: 3B31E731B04215CFC705CA69A8E42BEFBF3AFC9210B6985ABD456DB291D734CD118B51
                          Function 017B3CB0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f373966cf67e2f983ea8630e5c3cd41e89bf520b2cd20b005fb3da072a2c1c4
                          • Instruction ID: c2ae3d98c49f673cb4c40b5a3b680bccabeba202a8477f21c34d0a6662e5e52c
                          • Opcode Fuzzy Hash: 5f373966cf67e2f983ea8630e5c3cd41e89bf520b2cd20b005fb3da072a2c1c4
                          • Instruction Fuzzy Hash: D9110231A1A3845FD7028B78E86069A7FB2BB87320B1A85B7D545DB263D6245C0AC362
                          Function 017B28E1 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c4b841a6c9fc98dc86c6b17e442715719752eb4a71bf50540ae2de3ce74d5f5
                          • Instruction ID: 9ad6a253cf0ec507c0b1ab649d0b162475cf405d414566d08c2c834ca8a810bb
                          • Opcode Fuzzy Hash: 6c4b841a6c9fc98dc86c6b17e442715719752eb4a71bf50540ae2de3ce74d5f5
                          • Instruction Fuzzy Hash: 33118E723192454F8B584A7A98812E3FF9BBFC61B0309C5B3D45EDB25BD724E8118350
                          Function 017B29A0 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6aa636a5cb0017546542cd0b98c1d2667eb08da44e1cf6186226edbc9a8d5cc8
                          • Instruction ID: 92ea0d2368c0b11fe8ee8e26cc164e99fc2447a22227f219ef71055978ab72ad
                          • Opcode Fuzzy Hash: 6aa636a5cb0017546542cd0b98c1d2667eb08da44e1cf6186226edbc9a8d5cc8
                          • Instruction Fuzzy Hash: 50014976B102005BC7198E3A9CC06EAFBE7FBCA620B05C56BD009CB356CA209C02C750
                          Function 017B1BD9 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11a4b4a37edc48ce015d9677d71c4c3241884938cedbb65c65e6abf5e21442fe
                          • Instruction ID: c6b2ab56b71161409d403ffb3e17fe13bde25df109e23fb14f6f4ddf6bd5054f
                          • Opcode Fuzzy Hash: 11a4b4a37edc48ce015d9677d71c4c3241884938cedbb65c65e6abf5e21442fe
                          • Instruction Fuzzy Hash: 54012D357053449FCB354E38D8105D97BB7EBC6321F08456BD94287257CB75AC25C791
                          Function 017B29B0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 865e17303b054956b207d45bbe38c48d0e85dfd09765bdc9a4a6dc5524358bd1
                          • Instruction ID: dac5624db01bb9b858c205fd6ad08326c0dc5c28aac613ff034c6d6c8f8df35d
                          • Opcode Fuzzy Hash: 865e17303b054956b207d45bbe38c48d0e85dfd09765bdc9a4a6dc5524358bd1
                          • Instruction Fuzzy Hash: 6EF0B4757105155BD3289E3F9CD0A6AFADBBBC9620B04C52AE50AD7345CB20AC11C690
                          Function 017B22DA Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a334899277d86b0eac24a0caf62b57990c5d1bd542366c3378c4a22202a081d7
                          • Instruction ID: 75a3a185067416f0ab060f840ff2043cf486f46ae26a0dda103a39f2fca43d54
                          • Opcode Fuzzy Hash: a334899277d86b0eac24a0caf62b57990c5d1bd542366c3378c4a22202a081d7
                          • Instruction Fuzzy Hash: CCC08CD598F3498FC3048B30AD6CBCAEF9AA741215F0B88898802E9193F19C812F8D11
                          Function 017B21B5 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 939734121f5140b168bb69a3bfcea894dbc0bb48a9cabe13d516bb2ad3fab4a8
                          • Instruction ID: f8113d507f0e24dd47b4d3fdf2cf2972e4c704071cd1c6d79069405cb5d0acc2
                          • Opcode Fuzzy Hash: 939734121f5140b168bb69a3bfcea894dbc0bb48a9cabe13d516bb2ad3fab4a8
                          • Instruction Fuzzy Hash: 73D0C975301700CBC7249B25EEE8599B7F2BB566193440166D807CA2A5C7B19861CF00
                          Function 017B09E5 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6317a7cb72a42f5513de58d94a4c417a377e2bcbfeee9753205b18e2b8994a1
                          • Instruction ID: ca90c84eacbdf59ffcd1908893c5c6ae37f79d7c7c8513cc7779aa413142d67e
                          • Opcode Fuzzy Hash: f6317a7cb72a42f5513de58d94a4c417a377e2bcbfeee9753205b18e2b8994a1
                          • Instruction Fuzzy Hash: 1BC080346701155FC704DB38DD5455DBBF1BF4430071005249403C7195EF304F54C740

                          Non-executed Functions

                          Function 6CF65FCA Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CF65FD6
                          • IsDebuggerPresent.KERNEL32 ref: 6CF660A2
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF660BB
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 6CF660C5
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                          • String ID:
                          • API String ID: 254469556-0
                          • Opcode ID: 519c86b1736ab75928a1f9afe023a0790b4462867fa2efb94762ef878ddec835
                          • Instruction ID: b1edb66bf1d5a872537fdf593d5438f2c0f25ef109d6a209154b2a600bc219d4
                          • Opcode Fuzzy Hash: 519c86b1736ab75928a1f9afe023a0790b4462867fa2efb94762ef878ddec835
                          • Instruction Fuzzy Hash: 96310AB5D05228DBDF21DF65D949BCDBBB8AF08304F1041AAE40CAB740EB719A85CF55
                          Function 6CF69F67 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF6A05F
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF6A069
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF6A076
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: ed93ae2dde8f7b95928da33f07328dc59f650bf1e459f2143102f174782795be
                          • Instruction ID: 30cd2b895549013ef9959866986a639bb459dc5cde8113721f5d17eb094a997f
                          • Opcode Fuzzy Hash: ed93ae2dde8f7b95928da33f07328dc59f650bf1e459f2143102f174782795be
                          • Instruction Fuzzy Hash: E831E574911228EBCB61DF25D888BCDBBB8BF08314F5042EAE41CA7650E7309B858F54
                          Function 6CF70BB5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF70BB0,?,?,00000008,?,?,6CF707B3,00000000), ref: 6CF70DE2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: ba3b4e4b7ccb78b766dc180b0659f0dc3e1cc7f4d265f396b8a43b4625b42522
                          • Instruction ID: 0e124fa4519119f6c55c8be75e6597d917ecee7341ea8ceccaed91e84406dea3
                          • Opcode Fuzzy Hash: ba3b4e4b7ccb78b766dc180b0659f0dc3e1cc7f4d265f396b8a43b4625b42522
                          • Instruction Fuzzy Hash: D6B1AC32210648DFD725CF28D486B957BE0FF05328F258699E8E9CF6A1C776E981CB50
                          Function 6CF66188 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF6619E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: FeaturePresentProcessor
                          • String ID:
                          • API String ID: 2325560087-0
                          • Opcode ID: 4fe563a41ff197948c739bd5e951f4c37883c7cad8d64d65d8ea70239039a268
                          • Instruction ID: d765601158ae790c6c7f358794f18bebead4886dcbd2234917eff884e280381e
                          • Opcode Fuzzy Hash: 4fe563a41ff197948c739bd5e951f4c37883c7cad8d64d65d8ea70239039a268
                          • Instruction Fuzzy Hash: 2E516CB1F612058FEF55CF56C4817EABBF4FB89318F24852AE416EBA40D375AA00CB50
                          Function 017B39E0 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: ;
                          • API String ID: 0-919404518
                          • Opcode ID: f0bf0b7a44946ec1c0e63d63e28b8032c00336b1d1f26a336b7871208d6df453
                          • Instruction ID: a02a0a5413b82b32740605ddc2b60a5b82eb37c3cfc135e5e202f76ec0f9d1d4
                          • Opcode Fuzzy Hash: f0bf0b7a44946ec1c0e63d63e28b8032c00336b1d1f26a336b7871208d6df453
                          • Instruction Fuzzy Hash: 9E41D035F142598F8B40CFA889C5AAAFBB5BB8A200B219067E505FB251D334EE41CB91
                          Function 017B2E70 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: LNrp
                          • API String ID: 0-3348034075
                          • Opcode ID: 33ec8071e8fba807f9818ed22a52654ba08e7885dfb6070a2fdcc40ce7ad52f4
                          • Instruction ID: 831737afaccd0b356b859800be6273d564a59b9a059d3c25822fef6ff3b13e9e
                          • Opcode Fuzzy Hash: 33ec8071e8fba807f9818ed22a52654ba08e7885dfb6070a2fdcc40ce7ad52f4
                          • Instruction Fuzzy Hash: BB41D372615206CFC710CA2AC4C97ABF7E6FB89310B58896AE056DFA15D734F942CF41
                          Function 017B39F0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID: ;
                          • API String ID: 0-919404518
                          • Opcode ID: 5c9c4c0701376f47f5ba6fd9947db62c2fdc8dfbf507da5838df288b35589c26
                          • Instruction ID: 90e865b715fc7528770b705ab9d94ef3e713d20c70a389509edc7da1c72041cf
                          • Opcode Fuzzy Hash: 5c9c4c0701376f47f5ba6fd9947db62c2fdc8dfbf507da5838df288b35589c26
                          • Instruction Fuzzy Hash: CF41CF35F1055A8F8B40CE68C9C5AAAF7F5BB89204B219166E505FB750D334EE81CB91
                          Function 6CF6BD3B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: 1efe51588dd523a1aed67da317b576dc9a78b32ccbbbacf0c7b2e80f78f57e98
                          • Instruction ID: b2ea7ed0aaa102b40f41e8740447748920769d2455ab8e655cf3b666496670e4
                          • Opcode Fuzzy Hash: 1efe51588dd523a1aed67da317b576dc9a78b32ccbbbacf0c7b2e80f78f57e98
                          • Instruction Fuzzy Hash: 99A01130B20200CB8B808F32A20A30A3AF8AA02A80302802CA80AC2000EA3880008F22
                          Function 6CF7EB17 Relevance: .8, Instructions: 816COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmp, Offset: 6CF79000, based on PE: true
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c1c04f1ff6574383b556a6376973668ba126c4031f6106f5aec94510e884408
                          • Instruction ID: 3baccd505bbd76a3224298f5ba5a2b140dc2f3ba1d8b082d128d39f843f48878
                          • Opcode Fuzzy Hash: 3c1c04f1ff6574383b556a6376973668ba126c4031f6106f5aec94510e884408
                          • Instruction Fuzzy Hash: BB62346144E3C29FD7238B749C746D27FB0AE5721471E09DBD8C08F4A3E2191A6AD772
                          Function 6CF650E0 Relevance: .4, Instructions: 445COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e7143b91b8ac5d5b3d29e77247bd0038fbf4dca2a3d947c10b41a28a735e9d8
                          • Instruction ID: 770c6f8217081b70ddc373a0bb4bccec3f81155a047e1fadda491871f5996a52
                          • Opcode Fuzzy Hash: 4e7143b91b8ac5d5b3d29e77247bd0038fbf4dca2a3d947c10b41a28a735e9d8
                          • Instruction Fuzzy Hash: 67F1D03AA45209CFCB04CEADE6953DEBBF2EB4A345F204116D811F7F56D22A8E058F15
                          Function 0AF04388 Relevance: .3, Instructions: 258COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1684970669.000000000AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AEF0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_aef0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 26c1c7a585c11fedf383300c06378f8780edaa0a002dacba166f592402136df9
                          • Instruction ID: fbd5fd81fc8c2552ffed93e0e7b91ba5492e419d8d09c70cc7fcc66f2cd5be12
                          • Opcode Fuzzy Hash: 26c1c7a585c11fedf383300c06378f8780edaa0a002dacba166f592402136df9
                          • Instruction Fuzzy Hash: A3A1EF30B142549BCB68CF6DD48497EFBF2AFC9301B14992AE596DB2A5C330EC41DB80
                          Function 017B0972 Relevance: .1, Instructions: 83COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b60ca2321b19f24d138be5057c6a985b8fa851345c6d4679f9186a8d97f508e5
                          • Instruction ID: 84961c2789438e731a8bf54c4b3989bb7f97018418ec7d4455a0bb604965d55d
                          • Opcode Fuzzy Hash: b60ca2321b19f24d138be5057c6a985b8fa851345c6d4679f9186a8d97f508e5
                          • Instruction Fuzzy Hash: 6031AF70E11209CF9748CF6AC584ADFFBB2BB89210B16C4A7F4A5AB225D730C941CF85
                          Function 017B0927 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 279db3d8050db10192b8482ded46d4724c1b333c39862e802c36f5897e97487b
                          • Instruction ID: 057c8864d293a968d9c23deae0817ab9f6daab9b28d68ddc4b1c9fff2e1f73aa
                          • Opcode Fuzzy Hash: 279db3d8050db10192b8482ded46d4724c1b333c39862e802c36f5897e97487b
                          • Instruction Fuzzy Hash: 75318F70E11109CFA748CF5AC5846DFFBB2BB89210B16D497F4A6AB265D730C941CF45
                          Function 017B0C40 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22071a154da9ca76fbc91482b7ebfea8e89d6c7c1d503ed865ba6611c2ff5bb9
                          • Instruction ID: a80f37162c2d8e44f67b177715b0b52b2a3dc9467f089790ed14b1478e85d9ee
                          • Opcode Fuzzy Hash: 22071a154da9ca76fbc91482b7ebfea8e89d6c7c1d503ed865ba6611c2ff5bb9
                          • Instruction Fuzzy Hash: CF31CE30E10108CF9788CF59C584ADFFBB2BB89220B16D497F466AB265E730C9418F86
                          Function 017B0A87 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1681967635.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17b0000_nuCc19sDOl.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 45ab8ee8661c642d69b6c5c89d689c010c964527db60e7f484c7b0159874c8d2
                          • Instruction ID: ead190a38280ec753f48d4f4cc3d30bd96bad21fb1a81dd5c91f9be6c14b32e2
                          • Opcode Fuzzy Hash: 45ab8ee8661c642d69b6c5c89d689c010c964527db60e7f484c7b0159874c8d2
                          • Instruction Fuzzy Hash: 8431AD30E10209CF9748CF6AC584ADFFBF2BB89210B16D49BF4A6AB265D730C9458F45
                          Function 6CF679FA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • type_info::operator==.LIBVCRUNTIME ref: 6CF67B19
                          • ___TypeMatch.LIBVCRUNTIME ref: 6CF67C27
                          • _UnwindNestedFrames.LIBCMT ref: 6CF67D79
                          • CallUnexpected.LIBVCRUNTIME ref: 6CF67D94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                          • String ID: csm$csm$csm
                          • API String ID: 2751267872-393685449
                          • Opcode ID: cd8693324b92e1de6949871a545a8e771d43cdf47c45992496ab1dde88e7dbeb
                          • Instruction ID: 303f8bf64582f757d05bfabc30321314206123a604490997ad20e808a0cae2fa
                          • Opcode Fuzzy Hash: cd8693324b92e1de6949871a545a8e771d43cdf47c45992496ab1dde88e7dbeb
                          • Instruction Fuzzy Hash: B2B17971801209EFCF05CFA6C980A9EBBB5FF05328B25465BE8106BE15D731EA55CFA1
                          Function 6CF66AA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 6CF66AD7
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6CF66ADF
                          • _ValidateLocalCookies.LIBCMT ref: 6CF66B68
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6CF66B93
                          • _ValidateLocalCookies.LIBCMT ref: 6CF66BE8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 34fabd999862b2e51e04e9ad4e46089004927f289ee9923bbbadc50e1a188981
                          • Instruction ID: 3a38c303031ade6b640ce37b631f8b4ace3c837e3e4666b26c0eaa51ff75a5cb
                          • Opcode Fuzzy Hash: 34fabd999862b2e51e04e9ad4e46089004927f289ee9923bbbadc50e1a188981
                          • Instruction Fuzzy Hash: 2B418F34A01218DBCF00CF6AC884ADEBBB5AF4532CF148195F818DBB51D776EA19CB91
                          Function 6CF6B96A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(00000000,?,6CF6BA79,00000000,6CF69280,00000000,00000000,00000001,?,6CF6BBF2,00000022,FlsSetValue,6CF73CD8,6CF73CE0,00000000), ref: 6CF6BA2B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLibrary
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3664257935-537541572
                          • Opcode ID: dac9074de15ae03da0c911b298254c46c6999be7262f76f1b9794038b3d62f2b
                          • Instruction ID: 6fac51316501a6b0b4671f4b0eb935dd3c377e879918c04013cfbe4725ae1ea2
                          • Opcode Fuzzy Hash: dac9074de15ae03da0c911b298254c46c6999be7262f76f1b9794038b3d62f2b
                          • Instruction Fuzzy Hash: 3A210532F11221EBCB268B279C44B4F7778DB423A4F250A14FD26A7E80DB31E900D6E0
                          Function 6CF6704C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000001,?,6CF66C81,6CF65DA0,6CF657B9,?,6CF659F1,?,00000001,?,?,00000001,?,6CF77AD8,0000000C,6CF65AEA), ref: 6CF6705A
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF67068
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF67081
                          • SetLastError.KERNEL32(00000000,6CF659F1,?,00000001,?,?,00000001,?,6CF77AD8,0000000C,6CF65AEA,?,00000001,?), ref: 6CF670D3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: d0026bd5793ba669b0d59ce7498a72d33e920e2e67427b89b4db1bf8e10b688b
                          • Instruction ID: e85e18c8016918cf18953cf5cebfae088d0f01ffed28757b3015a9e291a91348
                          • Opcode Fuzzy Hash: d0026bd5793ba669b0d59ce7498a72d33e920e2e67427b89b4db1bf8e10b688b
                          • Instruction Fuzzy Hash: 2001B17272D3257EAA551B7B6C846D73774EB037BE734032BE55043DD0EF5249088260
                          Function 6CF6AB9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                          Download Yara Rule
                          Strings
                          • C:\Users\user\Desktop\nuCc19sDOl.exe, xrefs: 6CF6ABBA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: C:\Users\user\Desktop\nuCc19sDOl.exe
                          • API String ID: 0-2464264941
                          • Opcode ID: 5d032c4be9a252a0b37b828a73fd26227d2245f4def0d4edd60f650c90ecb5ed
                          • Instruction ID: 3180e3d0c0a69e8b5b15ef32449bc884abce4064eda9ea1c31afafc197cee678
                          • Opcode Fuzzy Hash: 5d032c4be9a252a0b37b828a73fd26227d2245f4def0d4edd60f650c90ecb5ed
                          • Instruction Fuzzy Hash: DE216D71604225AF9B019F77899099B7BE9FF0576C7048A18F91997E40E731E8508BA0
                          Function 6CF68BAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C0FC7CE4,00000000,?,00000000,6CF714B2,000000FF,?,6CF68B48,?,?,6CF68B1C,?), ref: 6CF68BE3
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF68BF5
                          • FreeLibrary.KERNEL32(00000000,?,00000000,6CF714B2,000000FF,?,6CF68B48,?,?,6CF68B1C,?), ref: 6CF68C17
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: a4804a1b0bb81c53f4f3fb91464e99a868813aaea4236ed8aedec49c3fb7f2b9
                          • Instruction ID: 4c9af202a6bbb8cb7f19dd811b5b4972818e0257ed0fbb7edf7c3a4eeb387253
                          • Opcode Fuzzy Hash: a4804a1b0bb81c53f4f3fb91464e99a868813aaea4236ed8aedec49c3fb7f2b9
                          • Instruction Fuzzy Hash: E2016731A11529EFDB128F51DC08FAE7BB9FB05755F00452AE811A2A90DB769904CB60
                          Function 6CF6D625 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                          Download Yara Rule
                          APIs
                          • __alloca_probe_16.LIBCMT ref: 6CF6D6AA
                          • __alloca_probe_16.LIBCMT ref: 6CF6D773
                          • __freea.LIBCMT ref: 6CF6D7DA
                            • Part of subcall function 6CF6C7CA: HeapAlloc.KERNEL32(00000000,6CF6B117,6CF6C4E4,?,6CF6B117,00000220,?,?,6CF6C4E4), ref: 6CF6C7FC
                          • __freea.LIBCMT ref: 6CF6D7ED
                          • __freea.LIBCMT ref: 6CF6D7FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: __freea$__alloca_probe_16$AllocHeap
                          • String ID:
                          • API String ID: 1096550386-0
                          • Opcode ID: 643607b804b25fd9922a369afc76f1ead5a6d6b99b2905eade35e5c8765b5f10
                          • Instruction ID: 203b4c5c50072e378c1815372c193ab98f28d2cf2b9bcbec3f350b7d79bbaf29
                          • Opcode Fuzzy Hash: 643607b804b25fd9922a369afc76f1ead5a6d6b99b2905eade35e5c8765b5f10
                          • Instruction Fuzzy Hash: 5451B172601206AFEB218F66CC84EABBBB9EF44718B310529FD1897E10EB75C814D761
                          Function 6CF67622 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF675D3,00000000,?,00000001,?,?,?,6CF676C2,00000001,FlsFree,6CF733B0,FlsFree), ref: 6CF6762F
                          • GetLastError.KERNEL32(?,6CF675D3,00000000,?,00000001,?,?,?,6CF676C2,00000001,FlsFree,6CF733B0,FlsFree,00000000,?,6CF67121), ref: 6CF67639
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF67661
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID: api-ms-
                          • API String ID: 3177248105-2084034818
                          • Opcode ID: 38b3d41b0fd02df7654aa7d3f46aa0836d66b0be5545ede89ae733a179e82814
                          • Instruction ID: 1028eb68a77dfa05d8b6f33dc1cee0e7ffc85aeef375da9035e436ee38568dcb
                          • Opcode Fuzzy Hash: 38b3d41b0fd02df7654aa7d3f46aa0836d66b0be5545ede89ae733a179e82814
                          • Instruction Fuzzy Hash: 43E01A30A44205FAEB611B62EC0DF4A3E76AB01B48F604025F90DA8D91DB63951099B6
                          Function 6CF6DD32 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleOutputCP.KERNEL32(C0FC7CE4,00000000,00000000,?), ref: 6CF6DD95
                            • Part of subcall function 6CF6B76C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF6D7D0,?,00000000,-00000008), ref: 6CF6B7CD
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF6DFE7
                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF6E02D
                          • GetLastError.KERNEL32 ref: 6CF6E0D0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                          • String ID:
                          • API String ID: 2112829910-0
                          • Opcode ID: ceb8b7ecf2f3d40a4858ad709ab3a5657f77431c9e1681772d52065058cbd07c
                          • Instruction ID: 505e0893d053edbb2619e614076dde00e2fe0a87977016a4753280e26c718e32
                          • Opcode Fuzzy Hash: ceb8b7ecf2f3d40a4858ad709ab3a5657f77431c9e1681772d52065058cbd07c
                          • Instruction Fuzzy Hash: 86D18D76E05248AFDF11CFA9C880AEEBBB5FF09314F24426AE455EBB41D730A945CB50
                          Function 6CF677A3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: AdjustPointer
                          • String ID:
                          • API String ID: 1740715915-0
                          • Opcode ID: b67f5f9979fc1100c0892e011625589455af5f34b60792401212605e9f218bed
                          • Instruction ID: 0f5d1f61231d02ae24b7bd90d1cb4bd54dd71c088558abf03246e5074c3ea02b
                          • Opcode Fuzzy Hash: b67f5f9979fc1100c0892e011625589455af5f34b60792401212605e9f218bed
                          • Instruction Fuzzy Hash: 2351AE72A05606EFEB158F66D840BAA77B4EF05718F30462BE81597F90E731EC84CB90
                          Function 6CF6A3B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 6CF6B76C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF6D7D0,?,00000000,-00000008), ref: 6CF6B7CD
                          • GetLastError.KERNEL32 ref: 6CF6A41C
                          • __dosmaperr.LIBCMT ref: 6CF6A423
                          • GetLastError.KERNEL32(?,?,?,?), ref: 6CF6A45D
                          • __dosmaperr.LIBCMT ref: 6CF6A464
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                          • String ID:
                          • API String ID: 1913693674-0
                          • Opcode ID: 0218b404b0d99dc599618aecbf5fba8e1e59cb629ce4b2693ddb1d97ed928c20
                          • Instruction ID: 271bdf8d5211216e5d8a9ab422853b26aa8538db8b4038741aec6bea1aef1ad5
                          • Opcode Fuzzy Hash: 0218b404b0d99dc599618aecbf5fba8e1e59cb629ce4b2693ddb1d97ed928c20
                          • Instruction Fuzzy Hash: F721BE31604235EF9B109FB78C84A9BB7F9FF053687148629E85987E20DB31EC148BA0
                          Function 6CF6B80F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 6CF6B817
                            • Part of subcall function 6CF6B76C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF6D7D0,?,00000000,-00000008), ref: 6CF6B7CD
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF6B84F
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF6B86F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                          • String ID:
                          • API String ID: 158306478-0
                          • Opcode ID: c15f4291469a7bbba1323dabc308dd1ad6c5e07fea5075031ee4707851358570
                          • Instruction ID: 79a7e805c754e7fdca96de7ba63e32b7b183de3fbc70b0b33f26f33efd73b11d
                          • Opcode Fuzzy Hash: c15f4291469a7bbba1323dabc308dd1ad6c5e07fea5075031ee4707851358570
                          • Instruction Fuzzy Hash: 651104B2A05525BFAB1117B79CCCCAF7AACDE4629D7000924F901D2F00EB75CD0695B0
                          Function 6CF6F6A6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF6EE66,00000000,00000001,00000000,?,?,6CF6E124,?,00000000,00000000), ref: 6CF6F6BD
                          • GetLastError.KERNEL32(?,6CF6EE66,00000000,00000001,00000000,?,?,6CF6E124,?,00000000,00000000,?,?,?,6CF6E6C7,00000000), ref: 6CF6F6C9
                            • Part of subcall function 6CF6F68F: CloseHandle.KERNEL32(FFFFFFFE,6CF6F6D9,?,6CF6EE66,00000000,00000001,00000000,?,?,6CF6E124,?,00000000,00000000,?,?), ref: 6CF6F69F
                          • ___initconout.LIBCMT ref: 6CF6F6D9
                            • Part of subcall function 6CF6F651: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF6F680,6CF6EE53,?,?,6CF6E124,?,00000000,00000000,?), ref: 6CF6F664
                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF6EE66,00000000,00000001,00000000,?,?,6CF6E124,?,00000000,00000000,?), ref: 6CF6F6EE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                          • String ID:
                          • API String ID: 2744216297-0
                          • Opcode ID: 4dc99ca0187f0be07b75e2dbd151eb04851cb6c4707807a053c390faa8ea2a10
                          • Instruction ID: 4cb9e275f1e51b668cab8eeb3027b54cd484ad5669f74fae7de98881370f574c
                          • Opcode Fuzzy Hash: 4dc99ca0187f0be07b75e2dbd151eb04851cb6c4707807a053c390faa8ea2a10
                          • Instruction Fuzzy Hash: F5F0A236651128BBCF925F96DC0CBCA3F77FB0A3B5B154110FA1996920C6338960DBA4
                          Function 6CF67D9F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • EncodePointer.KERNEL32(00000000,?), ref: 6CF67DC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1685019446.000000006CF51000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF50000, based on PE: true
                          • Associated: 00000000.00000002.1685002139.000000006CF50000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685060302.000000006CF72000.00000002.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CF79000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685085815.000000006CFBA000.00000004.00000001.01000000.00000007.sdmpDownload File
                          • Associated: 00000000.00000002.1685181697.000000006CFC5000.00000002.00000001.01000000.00000007.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6cf50000_nuCc19sDOl.jbxd
                          Yara matches
                          Similarity
                          • API ID: EncodePointer
                          • String ID: MOC$RCC
                          • API String ID: 2118026453-2084237596
                          • Opcode ID: 434c0023deb8d30de3699316f6cc0dc3698eac7ec39d5d376be9ce9ef80cd96f
                          • Instruction ID: ff66025896a314a15b884641fc3e7b5604c8d7ca157f738d01ee5e674a85d604
                          • Opcode Fuzzy Hash: 434c0023deb8d30de3699316f6cc0dc3698eac7ec39d5d376be9ce9ef80cd96f
                          • Instruction Fuzzy Hash: 34415B71900209AFCF06CFA5CD80AEE7BB5FF48308F25815AF91467A50D3359955DBA0

                          Execution Graph

                          Execution Coverage:11.2%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:159
                          Total number of Limit Nodes:11
                          execution_graph 41331 6a04981 41332 6a0491c 41331->41332 41333 6a0498a 41331->41333 41337 6a05a20 41332->41337 41341 6a05a11 41332->41341 41334 6a0493d 41338 6a05a68 41337->41338 41339 6a05a71 41338->41339 41345 6a056ec 41338->41345 41339->41334 41342 6a05a68 41341->41342 41343 6a05a71 41342->41343 41344 6a056ec LoadLibraryW 41342->41344 41343->41334 41344->41343 41346 6a05b68 LoadLibraryW 41345->41346 41348 6a05bdd 41346->41348 41348->41339 41148 2614668 41149 2614684 41148->41149 41150 2614696 41149->41150 41154 26147a0 41149->41154 41159 2613e10 41150->41159 41152 26146b5 41155 26147c5 41154->41155 41163 26148a1 41155->41163 41167 26148b0 41155->41167 41160 2613e1b 41159->41160 41175 2615c54 41160->41175 41162 2616ff0 41162->41152 41164 26148b0 41163->41164 41166 26149b4 41164->41166 41171 2614248 41164->41171 41168 26148d7 41167->41168 41169 26149b4 41168->41169 41170 2614248 CreateActCtxA 41168->41170 41169->41169 41170->41169 41172 2615940 CreateActCtxA 41171->41172 41174 2615a03 41172->41174 41174->41174 41176 2615c5f 41175->41176 41179 2615c64 41176->41179 41178 261709d 41178->41162 41180 2615c6f 41179->41180 41183 2615c94 41180->41183 41182 261717a 41182->41178 41184 2615c9f 41183->41184 41187 2615cc4 41184->41187 41186 261726d 41186->41182 41189 2615ccf 41187->41189 41188 2618691 41188->41186 41189->41188 41191 261cdf0 41189->41191 41192 261ce11 41191->41192 41193 261ce35 41192->41193 41195 261cfa0 41192->41195 41193->41188 41196 261cfad 41195->41196 41198 261cfe7 41196->41198 41199 261c8d8 41196->41199 41198->41193 41200 261c8dd 41199->41200 41202 261d8f8 41200->41202 41203 261ca04 41200->41203 41202->41202 41204 261ca0f 41203->41204 41205 2615cc4 2 API calls 41204->41205 41206 261d967 41205->41206 41210 261f6c8 41206->41210 41216 261f6e0 41206->41216 41207 261d9a1 41207->41202 41211 261f711 41210->41211 41213 261f811 41210->41213 41212 261f71d 41211->41212 41214 4e60dc8 CreateWindowExW CreateWindowExW 41211->41214 41215 4e60db8 CreateWindowExW CreateWindowExW 41211->41215 41212->41207 41213->41207 41214->41213 41215->41213 41218 261f811 41216->41218 41219 261f711 41216->41219 41217 261f71d 41217->41207 41218->41207 41219->41217 41220 4e60dc8 CreateWindowExW CreateWindowExW 41219->41220 41221 4e60db8 CreateWindowExW CreateWindowExW 41219->41221 41220->41218 41221->41218 41284 261d0b8 41285 261d0fe 41284->41285 41289 261d289 41285->41289 41292 261d298 41285->41292 41286 261d1eb 41295 261c9a0 41289->41295 41293 261d2c6 41292->41293 41294 261c9a0 DuplicateHandle 41292->41294 41293->41286 41294->41293 41296 261d300 DuplicateHandle 41295->41296 41297 261d2c6 41296->41297 41297->41286 41298 261ad38 41299 261ad3a 41298->41299 41303 261ae20 41299->41303 41311 261ae30 41299->41311 41300 261ad47 41304 261ae30 41303->41304 41305 261ae64 41304->41305 41319 261b0c8 41304->41319 41323 261b0b8 41304->41323 41305->41300 41306 261ae5c 41306->41305 41307 261b068 GetModuleHandleW 41306->41307 41308 261b095 41307->41308 41308->41300 41312 261ae32 41311->41312 41313 261ae64 41312->41313 41317 261b0c8 LoadLibraryExW 41312->41317 41318 261b0b8 LoadLibraryExW 41312->41318 41313->41300 41314 261ae5c 41314->41313 41315 261b068 GetModuleHandleW 41314->41315 41316 261b095 41315->41316 41316->41300 41317->41314 41318->41314 41320 261b0dc 41319->41320 41321 261b101 41320->41321 41327 261a870 41320->41327 41321->41306 41324 261b0dc 41323->41324 41325 261b101 41324->41325 41326 261a870 LoadLibraryExW 41324->41326 41325->41306 41326->41325 41328 261b2a8 LoadLibraryExW 41327->41328 41330 261b321 41328->41330 41330->41321 41222 d1d01c 41223 d1d034 41222->41223 41224 d1d08e 41223->41224 41229 4e60ad4 41223->41229 41238 4e61e98 41223->41238 41242 4e61ea8 41223->41242 41246 4e62c08 41223->41246 41230 4e60adf 41229->41230 41231 4e62c79 41230->41231 41233 4e62c69 41230->41233 41271 4e60bfc 41231->41271 41255 4e62da0 41233->41255 41260 4e62e6c 41233->41260 41266 4e62d90 41233->41266 41234 4e62c77 41234->41234 41239 4e61ea8 41238->41239 41240 4e60ad4 CallWindowProcW 41239->41240 41241 4e61eef 41240->41241 41241->41224 41243 4e61ece 41242->41243 41244 4e60ad4 CallWindowProcW 41243->41244 41245 4e61eef 41244->41245 41245->41224 41249 4e62c45 41246->41249 41247 4e62c79 41248 4e60bfc CallWindowProcW 41247->41248 41251 4e62c77 41248->41251 41249->41247 41250 4e62c69 41249->41250 41252 4e62da0 CallWindowProcW 41250->41252 41253 4e62d90 CallWindowProcW 41250->41253 41254 4e62e6c CallWindowProcW 41250->41254 41251->41251 41252->41251 41253->41251 41254->41251 41257 4e62db4 41255->41257 41256 4e62e40 41256->41234 41275 4e62e48 41257->41275 41278 4e62e58 41257->41278 41261 4e62e2a 41260->41261 41262 4e62e7a 41260->41262 41264 4e62e48 CallWindowProcW 41261->41264 41265 4e62e58 CallWindowProcW 41261->41265 41263 4e62e40 41263->41234 41264->41263 41265->41263 41267 4e62db4 41266->41267 41269 4e62e48 CallWindowProcW 41267->41269 41270 4e62e58 CallWindowProcW 41267->41270 41268 4e62e40 41268->41234 41269->41268 41270->41268 41272 4e60c07 41271->41272 41273 4e6435a CallWindowProcW 41272->41273 41274 4e64309 41272->41274 41273->41274 41274->41234 41276 4e62e69 41275->41276 41281 4e6429f 41275->41281 41276->41256 41279 4e62e69 41278->41279 41280 4e6429f CallWindowProcW 41278->41280 41279->41256 41280->41279 41282 4e60bfc CallWindowProcW 41281->41282 41283 4e642aa 41282->41283 41283->41276

                          Executed Functions

                          Function 06A00040 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1337 6a00040-6a00072 1338 6a00074 1337->1338 1339 6a00079-6a00145 1337->1339 1338->1339 1344 6a00147-6a00155 1339->1344 1345 6a0015a 1339->1345 1346 6a00608-6a00615 1344->1346 1410 6a00160 call 6a009b0 1345->1410 1411 6a00160 call 6a00901 1345->1411 1412 6a00160 call 6a00a86 1345->1412 1413 6a00160 call 6a009f6 1345->1413 1347 6a00166-6a0018f 1414 6a00195 call 6a0cf88 1347->1414 1415 6a00195 call 6a0cf78 1347->1415 1349 6a0019b-6a00204 1408 6a00206 call 6a0f348 1349->1408 1409 6a00206 call 6a0f358 1349->1409 1354 6a0020c-6a00216 1355 6a00597-6a005c1 1354->1355 1357 6a005c7-6a00606 1355->1357 1358 6a0021b-6a00431 1355->1358 1357->1346 1385 6a0043d-6a00487 1358->1385 1388 6a00489 1385->1388 1389 6a0048f-6a00491 1385->1389 1390 6a00493 1388->1390 1391 6a0048b-6a0048d 1388->1391 1392 6a00498-6a0049f 1389->1392 1390->1392 1391->1389 1391->1390 1393 6a004a1-6a00518 1392->1393 1394 6a00519-6a0053f 1392->1394 1393->1394 1397 6a00541-6a0054a 1394->1397 1398 6a0054c-6a00558 1394->1398 1399 6a0055e-6a0057d 1397->1399 1398->1399 1403 6a00593-6a00594 1399->1403 1404 6a0057f-6a00592 1399->1404 1403->1355 1404->1403 1408->1354 1409->1354 1410->1347 1411->1347 1412->1347 1413->1347 1414->1349 1415->1349
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.1830879687.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_6a00000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID: .$1
                          • API String ID: 0-1839485796
                          • Opcode ID: f8cf324abeeba82b6a056bb33d9d6d1215266a840f9e3815476300acadc9089f
                          • Instruction ID: 1f07a5563b66ed9b347ecb3cb50eb1d3e4d6fa411d78fa7dc9ec602d172e215d
                          • Opcode Fuzzy Hash: f8cf324abeeba82b6a056bb33d9d6d1215266a840f9e3815476300acadc9089f
                          • Instruction Fuzzy Hash: 6EF1E274E01228CFDB68DF65D894B9DBBB2BF89305F5081A9E40EA7290DB755E81CF10
                          Function 04E61B90 Relevance: 1.8, APIs: 1, Instructions: 309COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1960 4e61b90-4e61b91 1961 4e61b65-4e61b6c 1960->1961 1962 4e61b92-4e61b99 1960->1962 1965 4e61b7a-4e61b80 1961->1965 1963 4e61b6d-4e61b70 1962->1963 1964 4e61b9b-4e61bb1 1962->1964 1966 4e61b72-4e61b73 1963->1966 1967 4e61b38 1963->1967 1968 4e61b85-4e61b8f 1964->1968 1969 4e61bb3-4e61c55 1964->1969 1966->1965 1971 4e61b39-4e61b3a 1967->1971 1968->1960 1972 4e61c56-4e61c70 1969->1972 1971->1971 1973 4e61b3c-4e61b4c 1971->1973 1972->1972 1974 4e61c72-4e61ca7 1972->1974 1973->1965 1978 4e61b4e-4e61b5c 1973->1978 1976 4e61cdd-4e61d56 1974->1976 1977 4e61ca9-4e61ccd 1974->1977 1982 4e61d61-4e61d68 1976->1982 1983 4e61d58-4e61d5e 1976->1983 1979 4e61cd5-4e61cd6 1977->1979 1980 4e61cd0 call 4e60aa8 1977->1980 1978->1965 1987 4e61b5e-4e61b60 call 4e60a9c 1978->1987 1980->1979 1984 4e61d73-4e61dab 1982->1984 1985 4e61d6a-4e61d70 1982->1985 1983->1982 1988 4e61db3-4e61e12 CreateWindowExW 1984->1988 1985->1984 1987->1961 1990 4e61e14-4e61e1a 1988->1990 1991 4e61e1b-4e61e53 1988->1991 1990->1991 1995 4e61e55-4e61e58 1991->1995 1996 4e61e60 1991->1996 1995->1996 1997 4e61e61 1996->1997 1997->1997
                          Memory Dump Source
                          • Source File: 00000002.00000002.1824047626.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_4e60000_MSBuild.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 7c84da6b186234b73c3b8ba6c7a458b4e22d6bb48c62e6b97ef211ceb9d94aef
                          • Instruction ID: 6132cbb8a26b9f3626e83b11e853bf00bcf916911e2c3e39807f8fc4971c7c2d
                          • Opcode Fuzzy Hash: 7c84da6b186234b73c3b8ba6c7a458b4e22d6bb48c62e6b97ef211ceb9d94aef
                          • Instruction Fuzzy Hash: 56A19E71D09388EFEB128FA5C8509DDBFB1EF0A344F19859EE4859B262D6349846CB11
                          Function 0261AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1998 261ae30-261ae3f 2000 261ae41-261ae4e call 2619838 1998->2000 2001 261ae6b-261ae6f 1998->2001 2006 261ae50 2000->2006 2007 261ae64 2000->2007 2002 261ae71-261ae7b 2001->2002 2003 261ae83-261aec4 2001->2003 2002->2003 2010 261aed1-261aedf 2003->2010 2011 261aec6-261aece 2003->2011 2056 261ae56 call 261b0c8 2006->2056 2057 261ae56 call 261b0b8 2006->2057 2007->2001 2013 261aee1-261aee6 2010->2013 2014 261af03-261af05 2010->2014 2011->2010 2012 261ae5c-261ae5e 2012->2007 2015 261afa0-261afb7 2012->2015 2017 261aef1 2013->2017 2018 261aee8-261aeef call 261a814 2013->2018 2016 261af08-261af0f 2014->2016 2030 261afb9-261b018 2015->2030 2020 261af11-261af19 2016->2020 2021 261af1c-261af23 2016->2021 2022 261aef3-261af01 2017->2022 2018->2022 2020->2021 2024 261af30-261af39 call 261a824 2021->2024 2025 261af25-261af2d 2021->2025 2022->2016 2031 261af46-261af4b 2024->2031 2032 261af3b-261af43 2024->2032 2025->2024 2050 261b01a-261b060 2030->2050 2033 261af69-261af76 2031->2033 2034 261af4d-261af54 2031->2034 2032->2031 2039 261af99-261af9f 2033->2039 2040 261af78-261af96 2033->2040 2034->2033 2036 261af56-261af66 call 261a834 call 261a844 2034->2036 2036->2033 2040->2039 2051 261b062-261b065 2050->2051 2052 261b068-261b093 GetModuleHandleW 2050->2052 2051->2052 2053 261b095-261b09b 2052->2053 2054 261b09c-261b0b0 2052->2054 2053->2054 2056->2012 2057->2012
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0261B086
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 66b91f5e8ed78c3f84007aeb5f77914908a20d24e9d158719a9650b0c66d76ed
                          • Instruction ID: e7766bec33f175c9ef618aa4b9e4784b6f2ed91b3fccbb34b36f8ba8aed5c881
                          • Opcode Fuzzy Hash: 66b91f5e8ed78c3f84007aeb5f77914908a20d24e9d158719a9650b0c66d76ed
                          • Instruction Fuzzy Hash: 63710FB0A01B458FD724DF6AD14079ABBF2FF88304F048A2DD48A97B50DB75E949CB91
                          Function 04E61CE4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E61E02
                          Memory Dump Source
                          • Source File: 00000002.00000002.1824047626.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_4e60000_MSBuild.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: e02bfb1ca6c79970a6fc3da197967e9ececd7c11952f12842e23f4ea0e8b05e8
                          • Instruction ID: 818022a872d952185f931cc775024b01410e7f23692a754fef547e1ecbfc314b
                          • Opcode Fuzzy Hash: e02bfb1ca6c79970a6fc3da197967e9ececd7c11952f12842e23f4ea0e8b05e8
                          • Instruction Fuzzy Hash: 3A51D0B1D003099FDB15CF99C884ADEFBB5FF48354F24812AE819AB210D775A845CF91
                          Function 04E60AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E61E02
                          Memory Dump Source
                          • Source File: 00000002.00000002.1824047626.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_4e60000_MSBuild.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 67385e4ccd341103b58fad32797b7e2144eb707677f86ae9b0c5856a2fa34f10
                          • Instruction ID: d35696db20fe27992498d3972fc2297a76b25b383d4404085d140c4102aedb25
                          • Opcode Fuzzy Hash: 67385e4ccd341103b58fad32797b7e2144eb707677f86ae9b0c5856a2fa34f10
                          • Instruction Fuzzy Hash: 1151CFB1D00349AFDB15CF99C984ADEFBB5FF48354F24812AE819AB210D774A845CF91
                          Function 04E60BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E64381
                          Memory Dump Source
                          • Source File: 00000002.00000002.1824047626.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_4e60000_MSBuild.jbxd
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: b8e48feb1dd9efb31a0321b0d05e185edc7e7b4d96afb512f0332fede7a7764e
                          • Instruction ID: 16bd2f857c818cdbacc71e49a00cfdd34515819602f41c3566aa42656c95197c
                          • Opcode Fuzzy Hash: b8e48feb1dd9efb31a0321b0d05e185edc7e7b4d96afb512f0332fede7a7764e
                          • Instruction Fuzzy Hash: 9E4136B4A40209DFDB04CF99C488AAEBBF5FF88314F24C459D519AB361D334A840CBA4
                          Function 02614248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 026159F1
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: a2b5ce1d14e33a16d7577c1cc36074b1c062a95f9ebace48de4234d3adbac378
                          • Instruction ID: 9cce6d1129cec3abf35ee6cc4cc46bde9690fdcb456116b22b38d5a340e8bcb0
                          • Opcode Fuzzy Hash: a2b5ce1d14e33a16d7577c1cc36074b1c062a95f9ebace48de4234d3adbac378
                          • Instruction Fuzzy Hash: 8541E0B0C00619DBDB24CFA9C884B8DBBB5FF88304F24806AD409AB255DB756949CF91
                          Function 02615935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 026159F1
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: df7133010c4e7c4a80eb4aa445e338401fc8ec4b10275120d1d824c55cd79e77
                          • Instruction ID: a80c661ba369e9ac4119f413c0304dfe1075f215da60c5240047b35d8b94e32c
                          • Opcode Fuzzy Hash: df7133010c4e7c4a80eb4aa445e338401fc8ec4b10275120d1d824c55cd79e77
                          • Instruction Fuzzy Hash: 434102B0D00719CEDB24DFA9C884B8DFBF5BF44304F24805AD009AB255DB756949CF91
                          Function 0261C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0261D2C6,?,?,?,?,?), ref: 0261D387
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 657ffde120d53252256544a15368ad4190a3088058659e3de9ad479c0bc636c3
                          • Instruction ID: b84b195cf513e4159c84621f5154d6857b767432e5d72f64c726a2a47b957f88
                          • Opcode Fuzzy Hash: 657ffde120d53252256544a15368ad4190a3088058659e3de9ad479c0bc636c3
                          • Instruction Fuzzy Hash: 5E21E4B5900218DFDB10CF9AD984ADEFBF4FB48310F14801AE958A7310D374A950CFA4
                          Function 0261D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0261D2C6,?,?,?,?,?), ref: 0261D387
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 86e37efd523cef451152bc165e3ed52a789e0115f89a2d6b717359a6fa21319b
                          • Instruction ID: 9e209ec31c8481b4021fc588a8eff8e5676f76d20d810ed3aab1e4cd955d7c2c
                          • Opcode Fuzzy Hash: 86e37efd523cef451152bc165e3ed52a789e0115f89a2d6b717359a6fa21319b
                          • Instruction Fuzzy Hash: CB21E4B59002189FDB10CF9AD584ADEBBF4FB48324F14801AE958B3310D378A950CFA4
                          Function 0261B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0261B101,00000800,00000000,00000000), ref: 0261B312
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: fa369b4661dc4ecdacff6a04501400ee92d4bd08c960e8a4111f0910cb87eb01
                          • Instruction ID: 1c1b3375c0899296dae3e72bb19fcee0a534f3a7b5b04a3231b9a33061d88b8b
                          • Opcode Fuzzy Hash: fa369b4661dc4ecdacff6a04501400ee92d4bd08c960e8a4111f0910cb87eb01
                          • Instruction Fuzzy Hash: CC1103B69002488FDB10CFAAD544ADEFBF4EB88314F14846AD469A7210C379A545CFA5
                          Function 0261A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0261B101,00000800,00000000,00000000), ref: 0261B312
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 83a4355ea67a2e6ac3e3a6f728445a2ec6a7a5bb3818bb9e90a2662e7d909c14
                          • Instruction ID: 7364e7102c6888309bc47f8dbd5338d7604dfa26416df9351d939d282bc5ffdc
                          • Opcode Fuzzy Hash: 83a4355ea67a2e6ac3e3a6f728445a2ec6a7a5bb3818bb9e90a2662e7d909c14
                          • Instruction Fuzzy Hash: 8E1114B69003499FDB14CF9AD444AEEFBF4EB48314F14842EE419A7310C375A545CFA4
                          Function 06A056EC Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06A05AC6), ref: 06A05BCE
                          Memory Dump Source
                          • Source File: 00000002.00000002.1830879687.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_6a00000_MSBuild.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: f4d52334cbf68f067e558d79592c7d2e5e1ffc84b40eb9a144f8fa69c63d75e4
                          • Instruction ID: fb983dadcc3289aaeb8fa08e5c51c11655ec4b928f0c33e393763e364abe81aa
                          • Opcode Fuzzy Hash: f4d52334cbf68f067e558d79592c7d2e5e1ffc84b40eb9a144f8fa69c63d75e4
                          • Instruction Fuzzy Hash: 4C1112B1D002088BDB10EF9AD544B9EFBF4EF88310F14846AD459AB251E379A545CFA5
                          Function 06A05B67 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06A05AC6), ref: 06A05BCE
                          Memory Dump Source
                          • Source File: 00000002.00000002.1830879687.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_6a00000_MSBuild.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: deb0758e6da2640fe9b3757240e7f91b04e204402e0f6d532e9599a898455f63
                          • Instruction ID: 289b2150a18f7aba8654d31e1cce114e084b87232fde1a0cc5640fb8a8ac82d7
                          • Opcode Fuzzy Hash: deb0758e6da2640fe9b3757240e7f91b04e204402e0f6d532e9599a898455f63
                          • Instruction Fuzzy Hash: 371132B5C002088FDB20DFAAD944BDEFBF4EF88320F14842AD459AB210D378A545CFA1
                          Function 0261B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0261B086
                          Memory Dump Source
                          • Source File: 00000002.00000002.1819145419.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_2610000_MSBuild.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: e4d4294187ebc4725b1f2506e69a877a89e27c41eaf46976fb8f49c7acac4e42
                          • Instruction ID: 884d87311fa022dfcd6f5b4a9b7c58b20c3eb47c92f82a0ec9f17f5202cb0b1a
                          • Opcode Fuzzy Hash: e4d4294187ebc4725b1f2506e69a877a89e27c41eaf46976fb8f49c7acac4e42
                          • Instruction Fuzzy Hash: BD110FB5C003498FCB20DF9AD444ADEFBF4AB88324F14842AD469B7210C379A645CFA1
                          Function 00D0D774 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b6a06051c9c5af48b2adc75d877db1084813ae11681fa7249e3559eafab28721
                          • Instruction ID: 6c991d15a621df28717d04886a544972c4308b65b3d64abd57fb36913ffc9e8f
                          • Opcode Fuzzy Hash: b6a06051c9c5af48b2adc75d877db1084813ae11681fa7249e3559eafab28721
                          • Instruction Fuzzy Hash: 6B210671500240EFCB05DF94D9C4B2ABFA6FB88314F24C66AE94D4A295C336D816CBB1
                          Function 00D0D3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 765e05317e27dbb1209815caf0575a6deda6ec1c0f4cc0e85569ea184d29e001
                          • Instruction ID: 2ea0720fe8d3432bf58a7a1792cf44d0ef69ae166efe0c741e9e9b8141e1223f
                          • Opcode Fuzzy Hash: 765e05317e27dbb1209815caf0575a6deda6ec1c0f4cc0e85569ea184d29e001
                          • Instruction Fuzzy Hash: C2212871500204DFDB05DF54D9C0B2ABF66FB94324F24C16EE90D4B296C336E856C6B2
                          Function 00D0D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb219c419a9211ef970516381bc5be97afb0a43ba7f1b717eb5960ff7103ff9a
                          • Instruction ID: c8f032b72612bf88dacf623413e34bc56b38c3586566a25af2ed8f9fd210149a
                          • Opcode Fuzzy Hash: cb219c419a9211ef970516381bc5be97afb0a43ba7f1b717eb5960ff7103ff9a
                          • Instruction Fuzzy Hash: 3C212271504240DFCB05DF54D9C8B2ABF66FB98318F24C56AEC490B296C336D856CAB2
                          Function 00D1D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818915719.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d1d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25ed65c786ef21cbb42d47f5afc97f08f8b6009cbffff225778ef50a9634fcf7
                          • Instruction ID: 96447c69f705f0099fe27973031d410a9249b4b8942470274192503ad791cca4
                          • Opcode Fuzzy Hash: 25ed65c786ef21cbb42d47f5afc97f08f8b6009cbffff225778ef50a9634fcf7
                          • Instruction Fuzzy Hash: 2721F575504200EFCB14DF14E984B56BB66EB88314F24C56DE8494B296CB3AD887CA71
                          Function 00D1D005 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818915719.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d1d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a68eddf181f66e315be2bb0614b0e4ab5b0c3094a2bc5e07fb0eeab9cea6a9e
                          • Instruction ID: 963916f0a23bf8a93c8ddddf68fa743873cd9e094383df6dfba5daea120adc4b
                          • Opcode Fuzzy Hash: 0a68eddf181f66e315be2bb0614b0e4ab5b0c3094a2bc5e07fb0eeab9cea6a9e
                          • Instruction Fuzzy Hash: EB2183755093809FC702CF24D594755BF71EB46314F28C5DAD8498F2A7C33A984ACB62
                          Function 00D0D76F Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                          • Instruction ID: b923b600bb250980b2b34fefdba006ba6dde8898214f2e9eac6e3d1530f45e4d
                          • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                          • Instruction Fuzzy Hash: 6F21A276504280DFCB16CF54D9C4B16BF72FB98314F28C6AADD490B256C33AD816CBA1
                          Function 00D0D3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction ID: 15fa31cffd7eb211055817ee4802608e32f9913dd551a422b37d386afc185811
                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction Fuzzy Hash: 8E112672404240CFCB02CF44D5C4B16BF72FB94324F28C2AADC090B256C33AE85ACBA1
                          Function 00D0D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction ID: 733d014f4c4c7a228d0bc6e3056949839fb56a014eea2df1ba80c22afe4e7f88
                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction Fuzzy Hash: 7911E976504240CFCB15CF54D9C4B16BF72FB94314F28C5AADC490B696C336D45ACBA1
                          Function 00D0DA6D Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8eb1f69f3a3e4be77b72049e7db8570596a2905befdaeb530e8e9e551ae76320
                          • Instruction ID: 1f19f205a2378dcf5ca09bfe075e43512973682ac268cd21026360d7f40e2784
                          • Opcode Fuzzy Hash: 8eb1f69f3a3e4be77b72049e7db8570596a2905befdaeb530e8e9e551ae76320
                          • Instruction Fuzzy Hash: 7B01A23160D3449AEB108A69D984767FF99EF61334F1CC46BED4E4A2C6C279DC40C671
                          Function 00D0DA6C Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.1818885552.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_d0d000_MSBuild.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4fc3644f57cfbdb861918fea58616cf2c9eec4af36952c5fd3c4f93c63fd3ed3
                          • Instruction ID: cd1f706ca3ecbd321ea7e9a03cf5aa03666a4ce29cf29a56c0faa8933effcbae
                          • Opcode Fuzzy Hash: 4fc3644f57cfbdb861918fea58616cf2c9eec4af36952c5fd3c4f93c63fd3ed3
                          • Instruction Fuzzy Hash: 84F06D71509344AAEB108A1AD8C4BA6FFA8EF61734F18C45AED4D5B286C2799C44CAB1