Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qg155Ew08h.exe

Overview

General Information

Sample name:qg155Ew08h.exe
renamed because original name is a hash value
Original sample name:5710e8153d3061cb80c0a4c8d1d59fec.exe
Analysis ID:1483442
MD5:5710e8153d3061cb80c0a4c8d1d59fec
SHA1:1aaa05a14f5643d5e4b7db83fe0c305ebde11808
SHA256:dd4f243c9479d1de2347886a12ef03febcfc4a1ce97af2b604736b68d5e62105
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • qg155Ew08h.exe (PID: 2568 cmdline: "C:\Users\user\Desktop\qg155Ew08h.exe" MD5: 5710E8153D3061CB80C0A4C8D1D59FEC)
    • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 6664 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.92.213:46419", "Bot Id": "665841", "Authorization Header": "b8fe8b26d0b2238ec32b881cbf7ba27f"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.1793001097.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.qg155Ew08h.exe.6cfa9000.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.MSBuild.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.qg155Ew08h.exe.6cfa9000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.qg155Ew08h.exe.6cf80000.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        No Snort rule has matched

                        Suricata Signatures

                        Timestamp:2024-07-27T14:37:08.405171+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:09.623236+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:15.714266+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49731
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:03.491370+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:36:57.816554+0200
                        SID:2046045
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:06.418276+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:09.145538+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:05.530839+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:08.931062+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:06.155029+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:06.883843+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:05.739318+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:07.423761+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:09.355776+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:04.988499+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:08.622887+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:03.496914+0200
                        SID:2046056
                        Source Port:46419
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:04.570201+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:07.418457+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:06.669520+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:04.779491+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:04.153821+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:05.321083+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:03.072073+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:05.947381+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:37:07.092288+0200
                        SID:2043231
                        Source Port:49730
                        Destination Port:46419
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-27T14:36:58.028717+0200
                        SID:2043234
                        Source Port:46419
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: qg155Ew08h.exeAvira: detected
                        Found malware configuration
                        Source: 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.92.213:46419", "Bot Id": "665841", "Authorization Header": "b8fe8b26d0b2238ec32b881cbf7ba27f"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllVirustotal: Detection: 48%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: qg155Ew08h.exeReversingLabs: Detection: 87%
                        Source: qg155Ew08h.exeVirustotal: Detection: 47%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: qg155Ew08h.exeJoe Sandbox ML: detected
                        Source: qg155Ew08h.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: qg155Ew08h.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 5.42.92.213:46419
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 5.42.92.213:46419
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: global trafficTCP traffic: 192.168.2.4:49675 -> 173.222.162.32:443
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.213
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002E32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: qg155Ew08h.exe, qg155Ew08h.exe, 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1793001097.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443

                        System Summary

                        barindex
                        .NET source code contains very large array initializations
                        Source: qg155Ew08h.exe, -Module-.csLarge array initialization: _202A_200F_202B_200F_206D_202E_200E_206E_200C_206D_206F_202D_200C_200F_202E_202D_206B_202B_202C_200E_200C_202B_206F_202A_202A_202D_206D_206C_202E_206C_202D_200E_200F_206D_200B_206B_206C_202A_200D_202B_202E: array initializer size 51696
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF87D10 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,0_2_6CF87D10
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF812E00_2_6CF812E0
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF882900_2_6CF88290
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF880200_2_6CF88020
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF810000_2_6CF81000
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CFA0B650_2_6CFA0B65
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF94F100_2_6CF94F10
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CFAEB170_2_6CFAEB17
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD23B80_2_00FD23B8
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0FF80_2_00FD0FF8
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD09FA0_2_00FD09FA
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD095C0_2_00FD095C
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD3ADA0_2_00FD3ADA
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD22D10_2_00FD22D1
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0A7D0_2_00FD0A7D
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0A410_2_00FD0A41
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0BFA0_2_00FD0BFA
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0BAD0_2_00FD0BAD
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0B770_2_00FD0B77
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD3B4F0_2_00FD3B4F
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0B130_2_00FD0B13
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0C790_2_00FD0C79
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD2C680_2_00FD2C68
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD2C590_2_00FD2C59
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0DC20_2_00FD0DC2
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0D6E0_2_00FD0D6E
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0EDC0_2_00FD0EDC
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0E980_2_00FD0E98
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0E490_2_00FD0E49
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0E020_2_00FD0E02
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD37780_2_00FD3778
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD37690_2_00FD3769
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0F260_2_00FD0F26
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD0F1B0_2_00FD0F1B
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_0A832F700_2_0A832F70
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_0A8336F00_2_0A8336F0
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_0A8327700_2_0A832770
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00ECDC742_2_00ECDC74
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: String function: 6CF960F0 appears 33 times
                        Source: qg155Ew08h.exe, 00000000.00000002.1656301681.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs qg155Ew08h.exe
                        Source: qg155Ew08h.exe, 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameCarnify.exe8 vs qg155Ew08h.exe
                        Source: qg155Ew08h.exe, 00000000.00000000.1650878257.00000000006E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVictor291Lily.txtL vs qg155Ew08h.exe
                        Source: qg155Ew08h.exeBinary or memory string: OriginalFilenameVictor291Lily.txtL vs qg155Ew08h.exe
                        Source: qg155Ew08h.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
                        Source: qg155Ew08h.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: qg155Ew08h.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: qg155Ew08h.exeReversingLabs: Detection: 87%
                        Source: qg155Ew08h.exeVirustotal: Detection: 47%
                        Source: unknownProcess created: C:\Users\user\Desktop\qg155Ew08h.exe "C:\Users\user\Desktop\qg155Ew08h.exe"
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: qg155Ew08h.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: qg155Ew08h.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: qg155Ew08h.exe, -Module-.cs.Net Code: _206B_200D_200C_206D_200E_200F_206A_200E_206B_200B_202E_200B_202D_206E_206B_206F_206F_206B_206A_206C_202C_206F_206D_206F_206B_202D_206A_206F_202A_206F_206B_206A_206F_200D_202C_200C_206E_206F_206A_200C_202E System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CFA1294 push ecx; ret 0_2_6CFA12A7
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CFA9180 pushfd ; iretd 0_2_6CFA9181
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CFAEB17 push es; retf 0_2_6CFAEB12
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_00FD3671 push edx; iretd 0_2_00FD3679
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_0A821DE4 push 1CF44569h; iretd 0_2_0A821DE9
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_0A82055D push ss; retf 0_2_0A820567
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00EC46E7 push ebx; ret 2_2_00EC46EA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00EC46E1 push ebx; ret 2_2_00EC46E2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00EC46E3 push edx; ret 2_2_00EC46E6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00EC465F push edx; ret 2_2_00EC4662
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00EC4658 push edx; ret 2_2_00EC465A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00EC47D7 push esi; ret 2_2_00EC47DA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00ECAD01 pushfd ; ret 2_2_00ECAD02
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00ECAD03 pushfd ; ret 2_2_00ECAD0A
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: qg155Ew08h.exe PID: 2568, type: MEMORYSTR
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 50A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 60A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 61D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 71D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 76A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 86A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: 96A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: EA0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2394Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7010Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Users\user\Desktop\qg155Ew08h.exe TID: 6648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7000Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: qg155Ew08h.exeBinary or memory string: CttJFgANByUSUqqNlTacvGfhgfSLmkzdzLZqzQPIOtgNTPxOYzGB.dll
                        Source: qg155Ew08h.exeBinary or memory string: CttJFgANByUSUqqNlTacvGfhgfS
                        Source: MSBuild.exe, 00000002.00000002.1793881514.0000000000F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF95F7A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF95F7A
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF9BCEB GetProcessHeap,0_2_6CF9BCEB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF95AA1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CF95AA1
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF95F7A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF95F7A
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF99F17 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF99F17
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF88290 HuaweiShare,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CreateProcessW,VirtualAllocEx,WriteProcessMemory,CloseHandle,CloseHandle,0_2_6CF88290
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B01008Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF96138 cpuid 0_2_6CF96138
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeQueries volume information: C:\Users\user\Desktop\qg155Ew08h.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\qg155Ew08h.exeCode function: 0_2_6CF95BC3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CF95BC3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: MSBuild.exe, 00000002.00000002.1802744090.000000000569F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.qg155Ew08h.exe.6cfa9000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qg155Ew08h.exe.6cfa9000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qg155Ew08h.exe.6cf80000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1793001097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: qg155Ew08h.exe PID: 2568, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6664, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR^q
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR^q,
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^q
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR^q,
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^q
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^q\
                        Source: MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6664, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.qg155Ew08h.exe.6cfa9000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qg155Ew08h.exe.6cfa9000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qg155Ew08h.exe.6cf80000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1793001097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: qg155Ew08h.exe PID: 2568, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6664, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		411
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		12
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory351
                        Security Software Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive11
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials124
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        qg155Ew08h.exe88%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                        qg155Ew08h.exe47%VirustotalBrowse
                        qg155Ew08h.exe100%AviraHEUR/AGEN.1311038
                        qg155Ew08h.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\d3d9.dll100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\d3d9.dll75%ReversingLabsWin32.Trojan.LummaStealer
                        C:\Users\user\AppData\Roaming\d3d9.dll49%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        bg.microsoft.map.fastly.net0%VirustotalBrowse
                        fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                        http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                        http://tempuri.org/Entity/Id40%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id5ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id15V0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalseunknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalseunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002E32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15VMSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id9MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDMSBuild.exe, 00000002.00000002.1795321792.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id4MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id7MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ip.sb/ipqg155Ew08h.exe, qg155Ew08h.exe, 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1793001097.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id22MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002DCA000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id24MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/MSBuild.exe, 00000002.00000002.1797689236.0000000003FE6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EF0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id12MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id13MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id14MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id16MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id18MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id19MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseMSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000002.00000002.1795321792.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseDMSBuild.exe, 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        5.42.92.213
                        		unknownRussian Federation
                        		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1483442
                        Start date and time:2024-07-27 14:36:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 28s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:4
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:qg155Ew08h.exe
                        renamed because original name is a hash value
                        Original Sample Name:5710e8153d3061cb80c0a4c8d1d59fec.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 67
                        • Number of non-executed functions: 30
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 13.85.23.86, 2.19.126.137, 2.19.126.163, 199.232.214.172, 192.229.221.95
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        08:37:03API Interceptor48x Sleep call for process: MSBuild.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        5.42.92.213nuCc19sDOl.exeGet hashmaliciousRedLineBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          fp2e7a.wpc.phicdn.nethttps://www.canva.com/design/DAGMDp-pdRs/DFmIVehjt-ABqDbwZmCQ6Q/view?utm_content=DAGMDp-pdRs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                          • 192.229.221.95
                          nuCc19sDOl.exeGet hashmaliciousRedLineBrowse
                          • 192.229.221.95
                          d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          Mu7iyblZk8.exeGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 192.229.221.95
                          d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                          • 192.229.221.95
                          Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 192.229.221.95
                          https://azadengg.com/MTQwOTk4NzcwMg==sfmaxWjJWdUxYQm5lQzA0TXpVMU1EZ3dNMmxtZUdOb1lYWmxlbkpwYzNoaGFYSmliM0p1TG1OdmJRPT0=&c=E,1,LZxP3HHb1f9qSYvI9qirqXkUUBAc_Lly3K7xLwNdfYOBECyaKUoAd-t3gcHqWT79cExKeBU56i8wGFRIGcXn5xtHq6aoS1GJuvxV76lYjLuWHw,,&typo=1Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          bg.microsoft.map.fastly.netcreatedthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                          • 199.232.214.172
                          https://www.canva.com/design/DAGMDp-pdRs/DFmIVehjt-ABqDbwZmCQ6Q/view?utm_content=DAGMDp-pdRs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                          • 199.232.214.172
                          nuCc19sDOl.exeGet hashmaliciousRedLineBrowse
                          • 199.232.214.172
                          d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                          • 199.232.210.172
                          QIKiV83Pkl.exeGet hashmaliciousDCRatBrowse
                          • 199.232.214.172
                          41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                          • 199.232.210.172
                          Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                          • 199.232.214.172
                          oz9Blof9tN.msiGet hashmaliciousCobaltStrikeBrowse
                          • 199.232.214.172
                          QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 199.232.210.172
                          invoker.ps1Get hashmaliciousUnknownBrowse
                          • 199.232.210.172

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUnuCc19sDOl.exeGet hashmaliciousRedLineBrowse
                          • 5.42.92.213
                          LisectAVT_2403002A_199.exeGet hashmaliciousRedLineBrowse
                          • 5.42.65.68
                          LisectAVT_2403002A_240.exeGet hashmaliciousRisePro StealerBrowse
                          • 5.42.65.117
                          LisectAVT_2403002A_240.exeGet hashmaliciousRisePro StealerBrowse
                          • 5.42.65.117
                          LisectAVT_2403002A_422.exeGet hashmaliciousRedLineBrowse
                          • 5.42.65.68
                          LisectAVT_2403002B_301.exeGet hashmaliciousBdaejec, GCleanerBrowse
                          • 5.42.65.115
                          LisectAVT_2403002B_98.exeGet hashmaliciousBdaejec, GCleaner, NymaimBrowse
                          • 5.42.64.3
                          LisectAVT_2403002C_44.exeGet hashmaliciousEICARBrowse
                          • 5.42.96.78
                          LisectAVT_2403002C_45.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                          • 5.42.65.68
                          LisectAVT_2403002A_479.exeGet hashmaliciousRisePro StealerBrowse
                          • 5.42.65.117

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):3094
                          Entropy (8bit):5.33145931749415
                          Encrypted:false
                          SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                          MD5:2A56468A7C0F324A42EA599BF0511FAF
                          SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                          SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                          SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qg155Ew08h.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\qg155Ew08h.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):42
                          Entropy (8bit):4.0050635535766075
                          Encrypted:false
                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                          C:\Users\user\AppData\Roaming\d3d9.dll

                          Download File
                          Process:C:\Users\user\Desktop\qg155Ew08h.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):474112
                          Entropy (8bit):6.069611518899029
                          Encrypted:false
                          SSDEEP:6144:3aQMm5qN8yhCXbEqzkjM5CgCcfAht4njAHnISLnl2M9V4AdFDDB:IOqN8yhWTQjMsgmkAHfnlzV9/
                          MD5:AEC340845CE4278D9E3C51D0FB781ABF
                          SHA1:FF2D1D46C5BA5DFE298A7ECD2FEABBA916D1D8B5
                          SHA-256:0AFF3F6B9F45E1A30E948B8E2CC22F77C965ECD9B41D1E76C8545384FC690FFC
                          SHA-512:15C9FC7DE8B3C0A7E92636C43CDA1C98417289369B15F544A02A1D4AB8EA252C0E48F40D1BC2EFCBABC954A0B7D34E49D2F912D916BC831C02E41B15A5B2D5DE
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 75%
                          • Antivirus: Virustotal, Detection: 49%, Browse
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L...\X.f...........!...&.....<......~Z....... ...............................p............@.........................@...T.......<............................P......`u...............................t..@............ ..P............................text............................... ..`.rdata..2h... ...j..................@..@.data...\............t..............@....reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):6.73523840649229
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:qg155Ew08h.exe
                          File size:630'272 bytes
                          MD5:5710e8153d3061cb80c0a4c8d1d59fec
                          SHA1:1aaa05a14f5643d5e4b7db83fe0c305ebde11808
                          SHA256:dd4f243c9479d1de2347886a12ef03febcfc4a1ce97af2b604736b68d5e62105
                          SHA512:6beb60cfe1adf6a2d9edb184709dcee04792c8f04c239006ec6bcb4e0749541efbc15ee73b590ac95e83a0e310594e463780f09f4b85aed00bd85c33c45f4a21
                          SSDEEP:12288:JdHXZpAPZdx9+ysrGGbH8X1gajA9m+QHPto5sFTL3mXXiWthWAqThdbxKVTJz2rE:JdiZdPshclgaoWe
                          TLSH:37D44EDC725072DFC85BC972CAA81C68EA5034BB871F920790671AEDDA5E897CF150F2
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\X.f................................. ........@.. ....................................@................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x49b0be
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows cui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x669F585C [Tue Jul 23 07:14:36 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9b0680x53.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x698.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x990c40x992001ca3df67483eb4066c3042b8acedcee2False0.614781568877551data6.74124225730025IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x9c0000x6980x8007a1246d556db33ea51ead1ea8fb6de7fFalse0.3603515625data3.6420339846373286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x9e0000xc0x200579f5b1b53a23c254e9d951090fc04d0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0x9c0a00x40cdata0.4140926640926641
                          RT_MANIFEST0x9c4ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-27T14:37:08.405171+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:09.623236+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:15.714266+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973113.85.23.86192.168.2.4
                          2024-07-27T14:37:03.491370+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:36:57.816554+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:06.418276+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:09.145538+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:05.530839+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:08.931062+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:06.155029+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:06.883843+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:05.739318+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:07.423761+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:09.355776+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:04.988499+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:08.622887+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:03.496914+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)46419497305.42.92.213192.168.2.4
                          2024-07-27T14:37:04.570201+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:07.418457+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:06.669520+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:04.779491+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:04.153821+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:05.321083+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:03.072073+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:05.947381+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:37:07.092288+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973046419192.168.2.45.42.92.213
                          2024-07-27T14:36:58.028717+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response46419497305.42.92.213192.168.2.4

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 27, 2024 14:36:51.943906069 CEST49675443192.168.2.4173.222.162.32
                          Jul 27, 2024 14:36:56.895421028 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:36:57.098421097 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:36:57.098951101 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:36:57.105771065 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:36:57.110738993 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:36:57.788666964 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:36:57.816554070 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:36:57.827356100 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:36:58.028717041 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:36:58.084605932 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:01.553472042 CEST49675443192.168.2.4173.222.162.32
                          Jul 27, 2024 14:37:03.072072983 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:03.077723980 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.281053066 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.281214952 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.281253099 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.281289101 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.281322956 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.281389952 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:03.281389952 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:03.338109016 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:03.491369963 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:03.496913910 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.697499037 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:03.740770102 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:04.153820992 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:04.158984900 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.159020901 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.159048080 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.480684996 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.522011042 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:04.570200920 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:04.575589895 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.776016951 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.779490948 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:04.784364939 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.986323118 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:04.988498926 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:04.994107008 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.194974899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.240745068 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:05.321083069 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:05.326031923 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.526807070 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.530838966 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:05.535849094 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.737200022 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.739317894 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:05.744462967 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.944849968 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:05.947381020 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:05.953104019 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.153847933 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.155029058 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:06.159904957 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.361253023 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.412745953 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:06.418276072 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:06.423450947 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.623680115 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.669519901 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:06.674717903 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.875199080 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:06.883842945 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:06.888782978 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.089911938 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.092288017 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.098037958 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.298834085 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.350333929 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.418457031 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.423659086 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423679113 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423691034 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423702002 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423736095 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423748970 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423759937 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423760891 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.423772097 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423784018 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423823118 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.423852921 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.423882961 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.423933029 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.423986912 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.428386927 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428399086 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428411007 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428421974 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428435087 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428447008 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428466082 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.428551912 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.428775072 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428807020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428854942 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428880930 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428905964 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428936005 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.428961992 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.429224014 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.433022022 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.433166981 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.433274984 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.433403969 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.433474064 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.433537006 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.433789015 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.433860064 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.433897972 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.433944941 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434037924 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.434078932 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434140921 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434175968 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.434205055 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.434396982 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434428930 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434478998 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.434505939 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434533119 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434580088 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434606075 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434637070 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434663057 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434725046 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434752941 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434779882 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434848070 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.434937954 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.434964895 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435019970 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435036898 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435081005 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435096025 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435127020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435148001 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435178041 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435205936 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435240030 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435264111 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435292006 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435348034 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435364962 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435399055 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435425043 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435458899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.435483932 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.435523987 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.437833071 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.437860012 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.437891960 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.437912941 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.437944889 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.437969923 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.437999010 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438046932 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438080072 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.438112974 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.438162088 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438188076 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438571930 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438604116 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438649893 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438745022 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438785076 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438812017 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438841105 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438919067 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438945055 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.438971043 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439016104 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439043045 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439069033 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439116001 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439152956 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439167023 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439234018 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439311981 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439359903 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439385891 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439416885 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439446926 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439471960 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439589977 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439616919 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.439641953 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440409899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440531969 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440563917 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440613031 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440643072 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440669060 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440715075 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.440826893 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.440946102 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.440984011 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441010952 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441039085 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441065073 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441092968 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441118956 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441143990 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441190004 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441217899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441245079 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441271067 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441319942 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441344976 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441370964 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441395998 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441421032 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441468000 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441493988 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441523075 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441529989 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441576004 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441603899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441628933 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441679955 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441705942 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441731930 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441761971 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.441807985 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442445993 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442528963 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442647934 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442675114 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442701101 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442748070 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442774057 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442811966 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442842007 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442867994 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.442914009 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443295002 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443412066 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443425894 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443439007 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443512917 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443543911 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443569899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443613052 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.443799019 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.444113970 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.444221973 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.446705103 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446731091 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446760893 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446787119 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446832895 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446858883 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446885109 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446933031 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446959972 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.446985960 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447024107 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447050095 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447096109 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447122097 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447146893 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447171926 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447207928 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447228909 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447232008 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447258949 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447285891 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447310925 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447338104 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447364092 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447388887 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447446108 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447473049 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447499037 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447525024 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447551012 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447575092 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447601080 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447647095 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447673082 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447698116 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447722912 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447748899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447787046 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447813034 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447838068 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447863102 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447887897 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447912931 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.447958946 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448007107 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448031902 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448056936 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448082924 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448107958 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448133945 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448158979 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448189020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.448214054 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449038982 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449088097 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449110031 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449126959 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449203014 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449217081 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449229956 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449242115 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449332952 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.449403048 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.449446917 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449460030 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449462891 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449476004 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449487925 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449522018 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449543953 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449558020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449604034 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449631929 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449645042 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449661016 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449671030 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449685097 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449740887 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449752092 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449757099 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449784040 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449795008 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449826002 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449918032 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449929953 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449951887 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449965000 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449975014 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.449994087 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450059891 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450073004 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450084925 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450221062 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450232983 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450244904 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450294971 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450310946 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450321913 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450335026 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450345993 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450484037 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450495005 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.450704098 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.451452017 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.451463938 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.451502085 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.451514006 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.451560020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454287052 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454353094 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454387903 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454428911 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454448938 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454459906 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454611063 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.454680920 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.454710960 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454724073 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454735041 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454755068 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454766035 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454777956 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454807997 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454818964 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454843044 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454926014 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454946995 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454957962 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.454971075 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455040932 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455051899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455065012 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455084085 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455096006 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455106974 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455121040 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455132961 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455153942 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455250978 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455262899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455274105 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455288887 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455301046 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455312014 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455334902 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455349922 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455362082 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455375910 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455388069 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455399990 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455411911 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455425024 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455436945 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455456018 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455467939 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455478907 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455492020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455502987 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455528021 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455579996 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455593109 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455602884 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.455624104 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459892988 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459904909 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459916115 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459938049 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459949017 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459959984 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459970951 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459981918 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.459992886 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460002899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460014105 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460025072 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460046053 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460057020 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460067987 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460078955 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460150003 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.460206985 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.460228920 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460242987 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460257053 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460269928 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460283041 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460294962 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460306883 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460309982 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460311890 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460313082 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460324049 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460381031 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460393906 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460405111 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460432053 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460443974 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460457087 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460468054 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460536957 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460550070 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460583925 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460596085 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460622072 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460633993 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460686922 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460735083 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460746050 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460756063 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460768938 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460778952 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460808992 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460827112 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460865021 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460875988 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460887909 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460931063 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.460942984 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465133905 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465156078 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465167046 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465233088 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465245008 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465255976 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465333939 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465348005 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465359926 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465372086 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465446949 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.465502977 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.465533018 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465543985 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465554953 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465565920 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465576887 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465588093 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465598106 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465620041 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465631962 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465642929 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465655088 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465769053 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465781927 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465791941 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465811968 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.465822935 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.490767002 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.495734930 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.497941971 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.498081923 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.498081923 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.498167992 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:07.503078938 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503139973 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503154039 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503165007 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503185987 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503215075 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503227949 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503345013 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503356934 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503449917 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503506899 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503521919 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503616095 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503628016 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.503639936 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:07.518393040 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.398471117 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.405170918 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:08.410981894 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.411020994 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.411031961 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.411048889 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.411128044 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.411155939 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.616213083 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.622886896 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:08.628262997 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.829960108 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.897296906 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:08.931061983 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:08.936616898 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936650991 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936677933 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936708927 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936734915 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936759949 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936789036 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.936814070 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.937439919 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.941538095 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.941566944 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:08.941592932 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:09.142929077 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:09.145538092 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:09.153157949 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:09.354123116 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:09.355776072 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:09.361238003 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:09.562417984 CEST46419497305.42.92.213192.168.2.4
                          Jul 27, 2024 14:37:09.615905046 CEST4973046419192.168.2.45.42.92.213
                          Jul 27, 2024 14:37:09.623235941 CEST4973046419192.168.2.45.42.92.213

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 27, 2024 14:37:15.738496065 CEST1.1.1.1192.168.2.40x1915No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                          Jul 27, 2024 14:37:15.738496065 CEST1.1.1.1192.168.2.40x1915No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                          Jul 27, 2024 14:37:16.912096977 CEST1.1.1.1192.168.2.40xd0c6No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                          Jul 27, 2024 14:37:16.912096977 CEST1.1.1.1192.168.2.40xd0c6No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:08:36:54
                          Start date:27/07/2024
                          Path:C:\Users\user\Desktop\qg155Ew08h.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\qg155Ew08h.exe"
                          Imagebase:0x6e0000
                          File size:630'272 bytes
                          MD5 hash:5710E8153D3061CB80C0A4C8D1D59FEC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:08:36:54
                          Start date:27/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:08:36:55
                          Start date:27/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          Imagebase:0x840000
                          File size:262'432 bytes
                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1793001097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1795321792.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1795321792.0000000002F73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:21.7%
                            Dynamic/Decrypted Code Coverage:2.4%
                            Signature Coverage:13.8%
                            Total number of Nodes:624
                            Total number of Limit Nodes:12
                            execution_graph 14419 a8336f0 14421 a83370d 14419->14421 14420 a8338dc 14421->14420 14424 a835ba8 14421->14424 14428 a835f38 14421->14428 14425 a835bee LoadLibraryW 14424->14425 14427 a835c27 14425->14427 14427->14421 14429 a835f79 FindCloseChangeNotification 14428->14429 14430 a835fa6 14429->14430 14430->14421 14431 a832f70 14433 a832fa5 14431->14433 14432 a8332dc 14433->14432 14434 a835ba8 LoadLibraryW 14433->14434 14435 a835f38 FindCloseChangeNotification 14433->14435 14434->14433 14435->14433 14436 6cf95a7e 14437 6cf95a8c 14436->14437 14438 6cf95a87 14436->14438 14442 6cf95948 14437->14442 14457 6cf95c10 14438->14457 14445 6cf95954 ___scrt_is_nonwritable_in_current_image 14442->14445 14443 6cf95963 14444 6cf9597d dllmain_raw 14444->14443 14447 6cf95997 dllmain_crt_dispatch 14444->14447 14445->14443 14445->14444 14446 6cf95978 14445->14446 14461 6cf94f10 14446->14461 14447->14443 14447->14446 14450 6cf959e9 14450->14443 14451 6cf959f2 dllmain_crt_dispatch 14450->14451 14451->14443 14453 6cf95a05 dllmain_raw 14451->14453 14452 6cf94f10 __DllMainCRTStartup@12 5 API calls 14454 6cf959d0 14452->14454 14453->14443 14465 6cf95898 14454->14465 14456 6cf959de dllmain_raw 14456->14450 14458 6cf95c26 14457->14458 14460 6cf95c2f 14458->14460 14793 6cf95bc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 14458->14793 14460->14437 14462 6cf94f74 14461->14462 14492 6cf95730 14462->14492 14464 6cf956d5 14464->14450 14464->14452 14467 6cf958a4 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 14465->14467 14466 6cf958ad 14466->14456 14467->14466 14468 6cf95940 14467->14468 14469 6cf958d5 14467->14469 14521 6cf95f7a IsProcessorFeaturePresent 14468->14521 14500 6cf95dab 14469->14500 14472 6cf958da 14509 6cf95c67 14472->14509 14474 6cf95947 ___scrt_is_nonwritable_in_current_image 14475 6cf9597d dllmain_raw 14474->14475 14477 6cf95978 14474->14477 14489 6cf95963 14474->14489 14478 6cf95997 dllmain_crt_dispatch 14475->14478 14475->14489 14476 6cf958df __RTC_Initialize __DllMainCRTStartup@12 14512 6cf95f4c 14476->14512 14480 6cf94f10 __DllMainCRTStartup@12 5 API calls 14477->14480 14478->14477 14478->14489 14482 6cf959b8 14480->14482 14484 6cf959e9 14482->14484 14486 6cf94f10 __DllMainCRTStartup@12 5 API calls 14482->14486 14485 6cf959f2 dllmain_crt_dispatch 14484->14485 14484->14489 14487 6cf95a05 dllmain_raw 14485->14487 14485->14489 14488 6cf959d0 14486->14488 14487->14489 14490 6cf95898 __DllMainCRTStartup@12 81 API calls 14488->14490 14489->14456 14491 6cf959de dllmain_raw 14490->14491 14491->14484 14493 6cf95739 IsProcessorFeaturePresent 14492->14493 14494 6cf95738 14492->14494 14496 6cf95ade 14493->14496 14494->14464 14499 6cf95aa1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14496->14499 14498 6cf95bc1 14498->14464 14499->14498 14501 6cf95db0 ___scrt_release_startup_lock 14500->14501 14502 6cf95db4 14501->14502 14506 6cf95dc0 __DllMainCRTStartup@12 14501->14506 14525 6cf99252 14502->14525 14504 6cf95dbe 14504->14472 14505 6cf95dcd 14505->14472 14506->14505 14529 6cf98a3b 14506->14529 14666 6cf96bea InterlockedFlushSList 14509->14666 14513 6cf95f58 14512->14513 14514 6cf958fe 14513->14514 14673 6cf993fb 14513->14673 14518 6cf9593a 14514->14518 14516 6cf95f66 14678 6cf96c3f 14516->14678 14776 6cf95dce 14518->14776 14522 6cf95f90 __CreateFrameInfo 14521->14522 14523 6cf9603b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14522->14523 14524 6cf9607f __CreateFrameInfo 14523->14524 14524->14474 14526 6cf9925e __EH_prolog3 14525->14526 14540 6cf9911d 14526->14540 14528 6cf99285 __DllMainCRTStartup@12 14528->14504 14530 6cf98a68 14529->14530 14531 6cf98a79 14529->14531 14611 6cf98b03 GetModuleHandleW 14530->14611 14618 6cf988eb 14531->14618 14536 6cf98ab7 14536->14472 14541 6cf99129 ___scrt_is_nonwritable_in_current_image 14540->14541 14548 6cf99e43 EnterCriticalSection 14541->14548 14543 6cf99137 14549 6cf99178 14543->14549 14548->14543 14550 6cf99197 14549->14550 14551 6cf99144 14549->14551 14550->14551 14556 6cf9a264 14550->14556 14553 6cf9916c 14551->14553 14610 6cf99e8b LeaveCriticalSection 14553->14610 14555 6cf99155 14555->14528 14557 6cf9a299 14556->14557 14558 6cf9a26f HeapFree 14556->14558 14557->14551 14558->14557 14559 6cf9a284 GetLastError 14558->14559 14560 6cf9a291 __dosmaperr 14559->14560 14562 6cf9a1f4 14560->14562 14565 6cf99c68 GetLastError 14562->14565 14564 6cf9a1f9 14564->14557 14566 6cf99c84 14565->14566 14567 6cf99c7e 14565->14567 14586 6cf99c88 SetLastError 14566->14586 14593 6cf9bb86 14566->14593 14588 6cf9bb47 14567->14588 14574 6cf99cbd 14576 6cf9bb86 _unexpected 6 API calls 14574->14576 14575 6cf99cce 14577 6cf9bb86 _unexpected 6 API calls 14575->14577 14578 6cf99ccb 14576->14578 14579 6cf99cda 14577->14579 14583 6cf9a264 ___free_lconv_mon 12 API calls 14578->14583 14580 6cf99cde 14579->14580 14581 6cf99cf5 14579->14581 14582 6cf9bb86 _unexpected 6 API calls 14580->14582 14605 6cf99919 14581->14605 14582->14578 14583->14586 14586->14564 14587 6cf9a264 ___free_lconv_mon 12 API calls 14587->14586 14589 6cf9b9e5 _unexpected 5 API calls 14588->14589 14590 6cf9bb63 14589->14590 14591 6cf9bb6c 14590->14591 14592 6cf9bb7e TlsGetValue 14590->14592 14591->14566 14594 6cf9b9e5 _unexpected 5 API calls 14593->14594 14595 6cf9bba2 14594->14595 14596 6cf99ca0 14595->14596 14597 6cf9bbc0 TlsSetValue 14595->14597 14596->14586 14598 6cf9a207 14596->14598 14603 6cf9a214 _unexpected 14598->14603 14599 6cf9a254 14602 6cf9a1f4 __dosmaperr 13 API calls 14599->14602 14600 6cf9a23f HeapAlloc 14601 6cf99cb5 14600->14601 14600->14603 14601->14574 14601->14575 14602->14601 14603->14599 14603->14600 14604 6cf9bfa0 _unexpected EnterCriticalSection LeaveCriticalSection 14603->14604 14604->14603 14606 6cf997ad _unexpected EnterCriticalSection LeaveCriticalSection 14605->14606 14607 6cf99987 14606->14607 14608 6cf998bf _unexpected 14 API calls 14607->14608 14609 6cf999b0 14608->14609 14609->14587 14610->14555 14612 6cf98a6d 14611->14612 14612->14531 14613 6cf98b5e GetModuleHandleExW 14612->14613 14614 6cf98b9d GetProcAddress 14613->14614 14617 6cf98bb1 14613->14617 14614->14617 14615 6cf98bcd 14615->14531 14616 6cf98bc4 FreeLibrary 14616->14615 14617->14615 14617->14616 14619 6cf988f7 ___scrt_is_nonwritable_in_current_image 14618->14619 14633 6cf99e43 EnterCriticalSection 14619->14633 14621 6cf98901 14634 6cf98953 14621->14634 14623 6cf9890e 14638 6cf9892c 14623->14638 14626 6cf98ad2 14642 6cf98b45 14626->14642 14628 6cf98adc 14629 6cf98af0 14628->14629 14630 6cf98ae0 GetCurrentProcess TerminateProcess 14628->14630 14631 6cf98b5e __CreateFrameInfo 3 API calls 14629->14631 14630->14629 14632 6cf98af8 ExitProcess 14631->14632 14633->14621 14635 6cf9895f ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 14634->14635 14636 6cf99252 __DllMainCRTStartup@12 14 API calls 14635->14636 14637 6cf989c3 __CreateFrameInfo 14635->14637 14636->14637 14637->14623 14641 6cf99e8b LeaveCriticalSection 14638->14641 14640 6cf9891a 14640->14536 14640->14626 14641->14640 14645 6cf99ec7 14642->14645 14644 6cf98b4a __CreateFrameInfo 14644->14628 14646 6cf99ed6 __CreateFrameInfo 14645->14646 14647 6cf99ee3 14646->14647 14649 6cf9ba6a 14646->14649 14647->14644 14652 6cf9b9e5 14649->14652 14651 6cf9ba86 14651->14647 14653 6cf9ba15 14652->14653 14657 6cf9ba11 _unexpected 14652->14657 14653->14657 14658 6cf9b91a 14653->14658 14656 6cf9ba2f GetProcAddress 14656->14657 14657->14651 14664 6cf9b92b ___vcrt_FlsFree 14658->14664 14659 6cf9b9c1 14659->14656 14659->14657 14660 6cf9b949 LoadLibraryExW 14661 6cf9b9c8 14660->14661 14662 6cf9b964 GetLastError 14660->14662 14661->14659 14663 6cf9b9da FreeLibrary 14661->14663 14662->14664 14663->14659 14664->14659 14664->14660 14665 6cf9b997 LoadLibraryExW 14664->14665 14665->14661 14665->14664 14667 6cf95c71 14666->14667 14668 6cf96bfa 14666->14668 14667->14476 14668->14667 14670 6cf99479 14668->14670 14671 6cf9a264 ___free_lconv_mon 14 API calls 14670->14671 14672 6cf99491 14671->14672 14672->14668 14674 6cf99418 ___scrt_uninitialize_crt 14673->14674 14675 6cf99406 14673->14675 14674->14516 14676 6cf99414 14675->14676 14684 6cf9c635 14675->14684 14676->14516 14679 6cf96c48 14678->14679 14680 6cf96c52 14678->14680 14751 6cf970c3 14679->14751 14680->14514 14687 6cf9c4c6 14684->14687 14690 6cf9c41a 14687->14690 14691 6cf9c426 ___scrt_is_nonwritable_in_current_image 14690->14691 14698 6cf99e43 EnterCriticalSection 14691->14698 14693 6cf9c49c 14707 6cf9c4ba 14693->14707 14695 6cf9c430 ___scrt_uninitialize_crt 14695->14693 14699 6cf9c38e 14695->14699 14698->14695 14700 6cf9c39a ___scrt_is_nonwritable_in_current_image 14699->14700 14710 6cf9c752 EnterCriticalSection 14700->14710 14702 6cf9c3a4 ___scrt_uninitialize_crt 14703 6cf9c3dd 14702->14703 14711 6cf9c5d0 14702->14711 14722 6cf9c40e 14703->14722 14750 6cf99e8b LeaveCriticalSection 14707->14750 14709 6cf9c4a8 14709->14676 14710->14702 14712 6cf9c5e5 ___std_exception_copy 14711->14712 14713 6cf9c5ec 14712->14713 14714 6cf9c5f7 14712->14714 14715 6cf9c4c6 ___scrt_uninitialize_crt 68 API calls 14713->14715 14725 6cf9c567 14714->14725 14719 6cf9c5f2 ___std_exception_copy 14715->14719 14719->14703 14720 6cf9c618 14738 6cf9dc65 14720->14738 14749 6cf9c766 LeaveCriticalSection 14722->14749 14724 6cf9c3fc 14724->14695 14726 6cf9c5a7 14725->14726 14727 6cf9c580 14725->14727 14726->14719 14731 6cf9c9b7 14726->14731 14727->14726 14728 6cf9c9b7 ___scrt_uninitialize_crt 29 API calls 14727->14728 14729 6cf9c59c 14728->14729 14730 6cf9e484 ___scrt_uninitialize_crt 64 API calls 14729->14730 14730->14726 14732 6cf9c9d8 14731->14732 14733 6cf9c9c3 14731->14733 14732->14720 14734 6cf9a1f4 __dosmaperr 14 API calls 14733->14734 14735 6cf9c9c8 14734->14735 14736 6cf9a113 ___std_exception_copy 29 API calls 14735->14736 14737 6cf9c9d3 14736->14737 14737->14720 14739 6cf9dc76 14738->14739 14741 6cf9dc83 14738->14741 14742 6cf9a1f4 __dosmaperr 14 API calls 14739->14742 14740 6cf9dccc 14743 6cf9a1f4 __dosmaperr 14 API calls 14740->14743 14741->14740 14744 6cf9dcaa 14741->14744 14748 6cf9dc7b 14742->14748 14745 6cf9dcd1 14743->14745 14746 6cf9dbc3 ___scrt_uninitialize_crt 33 API calls 14744->14746 14747 6cf9a113 ___std_exception_copy 29 API calls 14745->14747 14746->14748 14747->14748 14748->14719 14749->14724 14750->14709 14752 6cf96c4d 14751->14752 14753 6cf970cd 14751->14753 14755 6cf9711a 14752->14755 14759 6cf97658 14753->14759 14756 6cf97144 14755->14756 14757 6cf97125 14755->14757 14756->14680 14758 6cf9712f DeleteCriticalSection 14757->14758 14758->14756 14758->14758 14764 6cf97532 14759->14764 14762 6cf9768a TlsFree 14763 6cf9767e 14762->14763 14763->14752 14765 6cf9754f 14764->14765 14768 6cf97553 14764->14768 14765->14762 14765->14763 14766 6cf975bb GetProcAddress 14766->14765 14768->14765 14768->14766 14769 6cf975ac 14768->14769 14771 6cf975d2 LoadLibraryExW 14768->14771 14769->14766 14770 6cf975b4 FreeLibrary 14769->14770 14770->14766 14772 6cf975e9 GetLastError 14771->14772 14773 6cf97619 14771->14773 14772->14773 14774 6cf975f4 ___vcrt_FlsFree 14772->14774 14773->14768 14774->14773 14775 6cf9760a LoadLibraryExW 14774->14775 14775->14768 14781 6cf9942b 14776->14781 14779 6cf970c3 ___vcrt_uninitialize_ptd 6 API calls 14780 6cf9593f 14779->14780 14780->14466 14784 6cf99de8 14781->14784 14785 6cf95dd5 14784->14785 14786 6cf99df2 14784->14786 14785->14779 14788 6cf9bb08 14786->14788 14789 6cf9b9e5 _unexpected 5 API calls 14788->14789 14790 6cf9bb24 14789->14790 14791 6cf9bb3f TlsFree 14790->14791 14792 6cf9bb2d 14790->14792 14792->14785 14793->14460 14794 6cf9573e 14795 6cf95749 14794->14795 14796 6cf9577c 14794->14796 14797 6cf9576e 14795->14797 14798 6cf9574e 14795->14798 14799 6cf95898 __DllMainCRTStartup@12 86 API calls 14796->14799 14806 6cf95791 14797->14806 14800 6cf95753 14798->14800 14801 6cf95764 14798->14801 14805 6cf95758 14799->14805 14800->14805 14820 6cf95d6a 14800->14820 14825 6cf95d4b 14801->14825 14807 6cf9579d ___scrt_is_nonwritable_in_current_image 14806->14807 14833 6cf95ddb 14807->14833 14809 6cf957a4 __DllMainCRTStartup@12 14810 6cf957cb 14809->14810 14811 6cf95890 14809->14811 14817 6cf95807 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 14809->14817 14844 6cf95d3d 14810->14844 14813 6cf95f7a __DllMainCRTStartup@12 4 API calls 14811->14813 14814 6cf95897 14813->14814 14815 6cf957da __RTC_Initialize 14815->14817 14847 6cf95c5b InitializeSListHead 14815->14847 14817->14805 14818 6cf957e8 14818->14817 14848 6cf95d12 14818->14848 14909 6cf993f3 14820->14909 15112 6cf96c2c 14825->15112 14830 6cf95d67 14830->14805 14831 6cf96c37 21 API calls 14832 6cf95d54 14831->14832 14832->14805 14834 6cf95de4 14833->14834 14852 6cf96138 IsProcessorFeaturePresent 14834->14852 14838 6cf95df5 14839 6cf95df9 14838->14839 14862 6cf993d6 14838->14862 14839->14809 14842 6cf95e10 14842->14809 14843 6cf96c3f ___scrt_uninitialize_crt 7 API calls 14843->14839 14903 6cf95e14 14844->14903 14846 6cf95d44 14846->14815 14847->14818 14849 6cf95d17 ___scrt_release_startup_lock 14848->14849 14850 6cf96138 IsProcessorFeaturePresent 14849->14850 14851 6cf95d20 14849->14851 14850->14851 14851->14817 14853 6cf95df0 14852->14853 14854 6cf96c0d 14853->14854 14865 6cf970de 14854->14865 14857 6cf96c16 14857->14838 14859 6cf96c1e 14860 6cf96c29 14859->14860 14861 6cf9711a ___vcrt_uninitialize_locks DeleteCriticalSection 14859->14861 14860->14838 14861->14857 14894 6cf9bef8 14862->14894 14866 6cf970e7 14865->14866 14868 6cf97110 14866->14868 14869 6cf96c12 14866->14869 14879 6cf9770c 14866->14879 14870 6cf9711a ___vcrt_uninitialize_locks DeleteCriticalSection 14868->14870 14869->14857 14871 6cf97090 14869->14871 14870->14869 14884 6cf9761d 14871->14884 14874 6cf970a5 14874->14859 14877 6cf970c0 14877->14859 14878 6cf970c3 ___vcrt_uninitialize_ptd 6 API calls 14878->14874 14880 6cf97532 ___vcrt_FlsFree 5 API calls 14879->14880 14881 6cf97726 14880->14881 14882 6cf9772f 14881->14882 14883 6cf97744 InitializeCriticalSectionAndSpinCount 14881->14883 14882->14866 14883->14882 14885 6cf97532 ___vcrt_FlsFree 5 API calls 14884->14885 14886 6cf97637 14885->14886 14887 6cf97650 TlsAlloc 14886->14887 14888 6cf9709a 14886->14888 14888->14874 14889 6cf976ce 14888->14889 14890 6cf97532 ___vcrt_FlsFree 5 API calls 14889->14890 14891 6cf976e8 14890->14891 14892 6cf97703 TlsSetValue 14891->14892 14893 6cf970b3 14891->14893 14892->14893 14893->14877 14893->14878 14895 6cf95e02 14894->14895 14896 6cf9bf08 14894->14896 14895->14842 14895->14843 14896->14895 14898 6cf9bdbc 14896->14898 14899 6cf9bdc3 14898->14899 14900 6cf9be06 GetStdHandle 14899->14900 14901 6cf9be68 14899->14901 14902 6cf9be19 GetFileType 14899->14902 14900->14899 14901->14896 14902->14899 14904 6cf95e20 14903->14904 14905 6cf95e24 14903->14905 14904->14846 14906 6cf95f7a __DllMainCRTStartup@12 4 API calls 14905->14906 14908 6cf95e31 ___scrt_release_startup_lock 14905->14908 14907 6cf95e9a 14906->14907 14908->14846 14915 6cf99aeb 14909->14915 14912 6cf96c37 15095 6cf96fc3 14912->15095 14916 6cf99af5 14915->14916 14917 6cf95d6f 14915->14917 14918 6cf9bb47 _unexpected 6 API calls 14916->14918 14917->14912 14919 6cf99afc 14918->14919 14919->14917 14920 6cf9bb86 _unexpected 6 API calls 14919->14920 14921 6cf99b0f 14920->14921 14923 6cf999b2 14921->14923 14924 6cf999bd 14923->14924 14925 6cf999cd 14923->14925 14929 6cf999d3 14924->14929 14925->14917 14928 6cf9a264 ___free_lconv_mon 14 API calls 14928->14925 14930 6cf999e8 14929->14930 14931 6cf999ee 14929->14931 14932 6cf9a264 ___free_lconv_mon 14 API calls 14930->14932 14933 6cf9a264 ___free_lconv_mon 14 API calls 14931->14933 14932->14931 14934 6cf999fa 14933->14934 14935 6cf9a264 ___free_lconv_mon 14 API calls 14934->14935 14936 6cf99a05 14935->14936 14937 6cf9a264 ___free_lconv_mon 14 API calls 14936->14937 14938 6cf99a10 14937->14938 14939 6cf9a264 ___free_lconv_mon 14 API calls 14938->14939 14940 6cf99a1b 14939->14940 14941 6cf9a264 ___free_lconv_mon 14 API calls 14940->14941 14942 6cf99a26 14941->14942 14943 6cf9a264 ___free_lconv_mon 14 API calls 14942->14943 14944 6cf99a31 14943->14944 14945 6cf9a264 ___free_lconv_mon 14 API calls 14944->14945 14946 6cf99a3c 14945->14946 14947 6cf9a264 ___free_lconv_mon 14 API calls 14946->14947 14948 6cf99a47 14947->14948 14949 6cf9a264 ___free_lconv_mon 14 API calls 14948->14949 14950 6cf99a55 14949->14950 14955 6cf997ff 14950->14955 14956 6cf9980b ___scrt_is_nonwritable_in_current_image 14955->14956 14971 6cf99e43 EnterCriticalSection 14956->14971 14959 6cf99815 14961 6cf9a264 ___free_lconv_mon 14 API calls 14959->14961 14962 6cf9983f 14959->14962 14961->14962 14972 6cf9985e 14962->14972 14963 6cf9986a 14964 6cf99876 ___scrt_is_nonwritable_in_current_image 14963->14964 14976 6cf99e43 EnterCriticalSection 14964->14976 14966 6cf99880 14977 6cf99aa0 14966->14977 14968 6cf99893 14981 6cf998b3 14968->14981 14971->14959 14975 6cf99e8b LeaveCriticalSection 14972->14975 14974 6cf9984c 14974->14963 14975->14974 14976->14966 14978 6cf99ad6 _unexpected 14977->14978 14979 6cf99aaf _unexpected 14977->14979 14978->14968 14979->14978 14984 6cf9cafb 14979->14984 15094 6cf99e8b LeaveCriticalSection 14981->15094 14983 6cf998a1 14983->14928 14985 6cf9cb7b 14984->14985 14989 6cf9cb11 14984->14989 14986 6cf9cbc9 14985->14986 14988 6cf9a264 ___free_lconv_mon 14 API calls 14985->14988 15052 6cf9cc6c 14986->15052 14990 6cf9cb9d 14988->14990 14989->14985 14991 6cf9cb44 14989->14991 14994 6cf9a264 ___free_lconv_mon 14 API calls 14989->14994 14992 6cf9a264 ___free_lconv_mon 14 API calls 14990->14992 14993 6cf9cb66 14991->14993 14999 6cf9a264 ___free_lconv_mon 14 API calls 14991->14999 14995 6cf9cbb0 14992->14995 14996 6cf9a264 ___free_lconv_mon 14 API calls 14993->14996 14997 6cf9cb39 14994->14997 14998 6cf9a264 ___free_lconv_mon 14 API calls 14995->14998 15000 6cf9cb70 14996->15000 15012 6cf9ea76 14997->15012 15004 6cf9cbbe 14998->15004 15005 6cf9cb5b 14999->15005 15006 6cf9a264 ___free_lconv_mon 14 API calls 15000->15006 15001 6cf9cc37 15002 6cf9a264 ___free_lconv_mon 14 API calls 15001->15002 15007 6cf9cc3d 15002->15007 15009 6cf9a264 ___free_lconv_mon 14 API calls 15004->15009 15040 6cf9eb74 15005->15040 15006->14985 15007->14978 15008 6cf9cbd7 15008->15001 15011 6cf9a264 14 API calls ___free_lconv_mon 15008->15011 15009->14986 15011->15008 15013 6cf9eb70 15012->15013 15014 6cf9ea87 15012->15014 15013->14991 15015 6cf9ea98 15014->15015 15016 6cf9a264 ___free_lconv_mon 14 API calls 15014->15016 15017 6cf9eaaa 15015->15017 15018 6cf9a264 ___free_lconv_mon 14 API calls 15015->15018 15016->15015 15019 6cf9eabc 15017->15019 15021 6cf9a264 ___free_lconv_mon 14 API calls 15017->15021 15018->15017 15020 6cf9eace 15019->15020 15022 6cf9a264 ___free_lconv_mon 14 API calls 15019->15022 15023 6cf9eae0 15020->15023 15024 6cf9a264 ___free_lconv_mon 14 API calls 15020->15024 15021->15019 15022->15020 15025 6cf9eaf2 15023->15025 15026 6cf9a264 ___free_lconv_mon 14 API calls 15023->15026 15024->15023 15027 6cf9eb04 15025->15027 15029 6cf9a264 ___free_lconv_mon 14 API calls 15025->15029 15026->15025 15028 6cf9eb16 15027->15028 15030 6cf9a264 ___free_lconv_mon 14 API calls 15027->15030 15031 6cf9eb28 15028->15031 15032 6cf9a264 ___free_lconv_mon 14 API calls 15028->15032 15029->15027 15030->15028 15033 6cf9eb3a 15031->15033 15034 6cf9a264 ___free_lconv_mon 14 API calls 15031->15034 15032->15031 15035 6cf9eb4c 15033->15035 15037 6cf9a264 ___free_lconv_mon 14 API calls 15033->15037 15034->15033 15036 6cf9eb5e 15035->15036 15038 6cf9a264 ___free_lconv_mon 14 API calls 15035->15038 15036->15013 15039 6cf9a264 ___free_lconv_mon 14 API calls 15036->15039 15037->15035 15038->15036 15039->15013 15041 6cf9eb81 15040->15041 15051 6cf9ebd9 15040->15051 15042 6cf9a264 ___free_lconv_mon 14 API calls 15041->15042 15044 6cf9eb91 15041->15044 15042->15044 15043 6cf9ebb5 15048 6cf9ebc7 15043->15048 15049 6cf9a264 ___free_lconv_mon 14 API calls 15043->15049 15045 6cf9a264 ___free_lconv_mon 14 API calls 15044->15045 15046 6cf9eba3 15044->15046 15045->15046 15046->15043 15047 6cf9a264 ___free_lconv_mon 14 API calls 15046->15047 15047->15043 15050 6cf9a264 ___free_lconv_mon 14 API calls 15048->15050 15048->15051 15049->15048 15050->15051 15051->14993 15053 6cf9cc79 15052->15053 15054 6cf9cc98 15052->15054 15053->15054 15058 6cf9ec02 15053->15058 15054->15008 15057 6cf9a264 ___free_lconv_mon 14 API calls 15057->15054 15059 6cf9cc92 15058->15059 15060 6cf9ec13 15058->15060 15059->15057 15061 6cf9ebdd _unexpected 14 API calls 15060->15061 15062 6cf9ec1b 15061->15062 15063 6cf9ebdd _unexpected 14 API calls 15062->15063 15064 6cf9ec26 15063->15064 15065 6cf9ebdd _unexpected 14 API calls 15064->15065 15066 6cf9ec31 15065->15066 15067 6cf9ebdd _unexpected 14 API calls 15066->15067 15068 6cf9ec3c 15067->15068 15069 6cf9ebdd _unexpected 14 API calls 15068->15069 15070 6cf9ec4a 15069->15070 15071 6cf9a264 ___free_lconv_mon 14 API calls 15070->15071 15072 6cf9ec55 15071->15072 15073 6cf9a264 ___free_lconv_mon 14 API calls 15072->15073 15074 6cf9ec60 15073->15074 15075 6cf9a264 ___free_lconv_mon 14 API calls 15074->15075 15076 6cf9ec6b 15075->15076 15077 6cf9ebdd _unexpected 14 API calls 15076->15077 15078 6cf9ec79 15077->15078 15079 6cf9ebdd _unexpected 14 API calls 15078->15079 15080 6cf9ec87 15079->15080 15081 6cf9ebdd _unexpected 14 API calls 15080->15081 15082 6cf9ec98 15081->15082 15083 6cf9ebdd _unexpected 14 API calls 15082->15083 15084 6cf9eca6 15083->15084 15085 6cf9ebdd _unexpected 14 API calls 15084->15085 15086 6cf9ecb4 15085->15086 15087 6cf9a264 ___free_lconv_mon 14 API calls 15086->15087 15088 6cf9ecbf 15087->15088 15089 6cf9a264 ___free_lconv_mon 14 API calls 15088->15089 15090 6cf9ecca 15089->15090 15091 6cf9a264 ___free_lconv_mon 14 API calls 15090->15091 15092 6cf9ecd5 15091->15092 15093 6cf9a264 ___free_lconv_mon 14 API calls 15092->15093 15093->15059 15094->14983 15096 6cf96fcd 15095->15096 15102 6cf95d74 15095->15102 15103 6cf97693 15096->15103 15099 6cf976ce ___vcrt_FlsSetValue 6 API calls 15100 6cf96fe3 15099->15100 15108 6cf96fa7 15100->15108 15102->14805 15104 6cf97532 ___vcrt_FlsFree 5 API calls 15103->15104 15105 6cf976ad 15104->15105 15106 6cf976c5 TlsGetValue 15105->15106 15107 6cf96fd4 15105->15107 15106->15107 15107->15099 15109 6cf96fb1 15108->15109 15111 6cf96fbe 15108->15111 15110 6cf99479 ___vcrt_freefls@4 14 API calls 15109->15110 15109->15111 15110->15111 15111->15102 15118 6cf96ffe 15112->15118 15114 6cf95d50 15114->14832 15115 6cf993e8 15114->15115 15116 6cf99c68 __dosmaperr 14 API calls 15115->15116 15117 6cf95d5c 15116->15117 15117->14830 15117->14831 15119 6cf9700a GetLastError 15118->15119 15120 6cf97007 15118->15120 15121 6cf97693 ___vcrt_FlsGetValue 6 API calls 15119->15121 15120->15114 15122 6cf9701f 15121->15122 15123 6cf97084 SetLastError 15122->15123 15124 6cf976ce ___vcrt_FlsSetValue 6 API calls 15122->15124 15131 6cf9703e 15122->15131 15123->15114 15125 6cf97038 __CreateFrameInfo 15124->15125 15126 6cf97060 15125->15126 15127 6cf976ce ___vcrt_FlsSetValue 6 API calls 15125->15127 15125->15131 15128 6cf976ce ___vcrt_FlsSetValue 6 API calls 15126->15128 15129 6cf97074 15126->15129 15127->15126 15128->15129 15130 6cf99479 ___vcrt_freefls@4 14 API calls 15129->15130 15130->15131 15131->15123 15132 a835de8 15133 a835e26 15132->15133 15136 6cf88290 15133->15136 15145 6cf882b0 __CreateFrameInfo 15136->15145 15137 6cf93244 WriteProcessMemory 15198 6cf88020 15137->15198 15139 6cf92b8e CreateProcessW 15139->15145 15140 6cf884f2 15141 6cf88755 15140->15141 15140->15145 15142 6cf887c3 15141->15142 15141->15145 15143 6cf8f3c0 GetConsoleWindow ShowWindow 15142->15143 15142->15145 15147 6cf8885d 15142->15147 15180 6cf812e0 15143->15180 15145->15137 15145->15139 15145->15140 15146 6cf812e0 19 API calls 15145->15146 15158 6cf87d10 8 API calls 15145->15158 15202 6cf81000 15145->15202 15146->15145 15147->15145 15148 6cf88a72 15147->15148 15148->15145 15149 6cf88bb7 15148->15149 15149->15145 15150 6cf88be3 15149->15150 15150->15145 15151 6cf88d43 15150->15151 15151->15145 15152 6cf92cd3 Wow64GetThreadContext 15151->15152 15156 6cf88f53 15151->15156 15152->15145 15153 6cf92c94 VirtualAlloc 15153->15145 15154 6cf92ead VirtualAllocEx 15154->15145 15156->15145 15156->15153 15156->15154 15157 6cf94002 CloseHandle CloseHandle 15156->15157 15159 6cf94cdd VirtualAllocEx 15156->15159 15160 6cf94eba CloseHandle CloseHandle 15156->15160 15161 6cf93f53 ResumeThread 15156->15161 15162 6cf8affb 15156->15162 15157->15145 15158->15145 15159->15145 15160->15145 15161->15145 15162->15145 15163 6cf930bb VirtualAllocEx 15162->15163 15164 6cf8b24d 15162->15164 15163->15145 15164->15145 15165 6cf93104 WriteProcessMemory 15164->15165 15166 6cf8b2bb 15164->15166 15165->15145 15166->15145 15167 6cf94c37 CreateProcessW 15166->15167 15168 6cf8b355 15166->15168 15167->15145 15168->15145 15169 6cf9422b 15168->15169 15172 6cf8b565 15168->15172 15170 6cf95730 _ValidateLocalCookies 5 API calls 15169->15170 15171 a835e49 15170->15171 15172->15145 15173 6cf93a78 ReadProcessMemory 15172->15173 15174 6cf8b6af 15172->15174 15173->15145 15174->15145 15175 6cf93b9c WriteProcessMemory 15174->15175 15176 6cf8b6db 15174->15176 15175->15145 15176->15145 15177 6cf94e27 WriteProcessMemory 15176->15177 15178 6cf8b83b 15176->15178 15177->15145 15178->15145 15179 6cf93e9d WriteProcessMemory Wow64SetThreadContext 15178->15179 15179->15145 15188 6cf81340 __InternalCxxFrameHandler 15180->15188 15181 6cf86eb3 CreateFileA 15181->15188 15182 6cf873a4 VirtualProtect 15182->15188 15183 6cf87640 15184 6cf95730 _ValidateLocalCookies 5 API calls 15183->15184 15185 6cf8764a 15184->15185 15185->15145 15186 6cf86dc7 GetCurrentProcess 15186->15188 15187 6cf87025 MapViewOfFile 15187->15188 15188->15181 15188->15182 15188->15183 15188->15186 15188->15187 15189 6cf87611 CloseHandle CloseHandle 15188->15189 15190 6cf86e52 K32GetModuleInformation GetModuleFileNameA 15188->15190 15191 6cf87460 VirtualProtect 15188->15191 15192 6cf86ddf __CreateFrameInfo 15188->15192 15194 6cf875e9 FindCloseChangeNotification 15188->15194 15195 6cf86fb6 CloseHandle 15188->15195 15196 6cf87c24 MapViewOfFile 15188->15196 15197 6cf86f2c CreateFileMappingA 15188->15197 15189->15188 15190->15188 15191->15188 15193 6cf86e07 GetModuleHandleA 15192->15193 15193->15188 15194->15188 15195->15188 15196->15188 15197->15188 15199 6cf8807e 15198->15199 15200 6cf95730 _ValidateLocalCookies 5 API calls 15199->15200 15201 6cf88262 15200->15201 15201->15145 15205 6cf81026 15202->15205 15203 6cf95730 _ValidateLocalCookies 5 API calls 15204 6cf81284 15203->15204 15204->15145 15205->15203

                            Executed Functions

                            Function 6CF88290 Relevance: 123.9, APIs: 21, Strings: 43, Instructions: 11893memoryinjectionthreadCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Memory$AllocCloseHandleVirtualWrite$Thread$ContextWindowWow64$ConsoleCreateReadResumeShow
                            • String ID: 'qy$*WiN$-:YG$.U?V$.U?V$/:W$1Z$N$2uu9$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$E@,4$Lbjy$Lr$Lr$Ud{[$Ud{[$Yr`g$]V>B$]p1;$`mLP$dLUn$g},s$kernel32.dll$ntdll.dll$n`$n`$q=/z$q=/z$qq&9$rLRU$rLRU$sEu$v@ud$v@ud$xvBq$xvBq$|e5h$|rE$}0%M$`C$xW
                            • API String ID: 1711602172-3874039472
                            • Opcode ID: 14ffc7db718a82562853e17f71a4123639d10cbaec5579d826aa14e3e3c0fd30
                            • Instruction ID: bb34d11356cfb8609ccfe7075d47d4cec283a230ad197f8008d0393975513446
                            • Opcode Fuzzy Hash: 14ffc7db718a82562853e17f71a4123639d10cbaec5579d826aa14e3e3c0fd30
                            • Instruction Fuzzy Hash: 1B24F432A552158FDF14CE2DC9C47CABBF1EB97359F109285E429E7A94C63A9E84CF00
                            Function 6CF812E0 Relevance: 53.7, APIs: 14, Strings: 13, Instructions: 6499filememoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandle$Module$ProtectViewVirtual$ChangeCreateCurrentFindInformationMappingNameNotificationProcess
                            • String ID: $iU$(K?V$(K?V$6Eq\$@$I+5$Z63$[!cR$\l$k(E0$u$,$x(~[$M
                            • API String ID: 847626866-3733139534
                            • Opcode ID: 0df6afefe87c0ce6156d43465b61e0355b107768293893d547eb497ba4cec2dd
                            • Instruction ID: e1255d58f83a92eec6297b13530775e8a45b66fe9f529eef621d4eaf43b47287
                            • Opcode Fuzzy Hash: 0df6afefe87c0ce6156d43465b61e0355b107768293893d547eb497ba4cec2dd
                            • Instruction Fuzzy Hash: 70C3EF33B52215CFDF05CE3CD9957DAB7F1EB83310F109246E819AB6A1D636A94A9F00
                            Function 6CF87D10 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 197librarynativeloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3161 6cf87d10-6cf87d6f GetModuleHandleW GetProcAddress call 6cf96330 3164 6cf87d76-6cf87d81 3161->3164 3165 6cf87ff1-6cf8800a call 6cf95730 3164->3165 3166 6cf87d87-6cf87d94 3164->3166 3169 6cf87d9a-6cf87da7 3166->3169 3170 6cf87eed-6cf87efa 3166->3170 3174 6cf87dad-6cf87dba 3169->3174 3175 6cf87f12-6cf87f5b 3169->3175 3172 6cf88012 3170->3172 3172->3164 3177 6cf87eae-6cf87ec4 3174->3177 3178 6cf87dc0-6cf87dcd 3174->3178 3175->3172 3177->3172 3180 6cf87fd3-6cf87fda 3178->3180 3181 6cf87dd3-6cf87de0 3178->3181 3180->3172 3183 6cf87edb-6cf87ee8 3181->3183 3184 6cf87de6-6cf87df3 3181->3184 3183->3172 3186 6cf87df9-6cf87e06 3184->3186 3187 6cf87f60-6cf87fce 3184->3187 3189 6cf87e0c-6cf87e19 3186->3189 3190 6cf87eff-6cf87f0d 3186->3190 3187->3172 3192 6cf87ec9-6cf87ed6 3189->3192 3193 6cf87e1f-6cf87e2c 3189->3193 3190->3172 3192->3172 3195 6cf8800b 3193->3195 3196 6cf87e32-6cf87e3f 3193->3196 3195->3172 3198 6cf87e62-6cf87ea9 NtQueryInformationProcess 3196->3198 3199 6cf87e45-6cf87e52 3196->3199 3198->3172 3201 6cf87e58-6cf87e5d 3199->3201 3202 6cf87fdf-6cf87fec 3199->3202 3201->3172 3202->3172
                            APIs
                            • GetModuleHandleW.KERNEL32 ref: 6CF87D2E
                            • GetProcAddress.KERNEL32 ref: 6CF87D46
                            • NtQueryInformationProcess.NTDLL ref: 6CF87E92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleInformationModuleProcProcessQuery
                            • String ID: NtQueryInformationProcess$ntdll.dll$}To$}To
                            • API String ID: 3384173408-806997609
                            • Opcode ID: 39d4ab60e2e14332b767623aa13d8825c392b722f9b1e296a38ec8b3909508b0
                            • Instruction ID: dcdfbff13bfd7247b0dbac07de421a8e1048974c894aaf8b34d388e216c69c11
                            • Opcode Fuzzy Hash: 39d4ab60e2e14332b767623aa13d8825c392b722f9b1e296a38ec8b3909508b0
                            • Instruction Fuzzy Hash: 3371A872B16208CFCB04CFACC5847DEBFF1EB06314F20841AE459ABB44E636994A9B11
                            Function 0A832F70 Relevance: 4.4, Strings: 3, Instructions: 698COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661034081.000000000A820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A820000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a820000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: o$z=4+$OD
                            • API String ID: 0-1376577083
                            • Opcode ID: 836eeb6748e45875af743743fc3d042aa8e799c204717d3d0417c617db640e90
                            • Instruction ID: 2dcc57515f35f1ae4b7023818fbad0ce5478d5836b5aad39297faeab786dc8e0
                            • Opcode Fuzzy Hash: 836eeb6748e45875af743743fc3d042aa8e799c204717d3d0417c617db640e90
                            • Instruction Fuzzy Hash: 2C422132A082559FCB65CB69C98557EFBF2EFC9300B14896AE496DF365C630ED01CB90
                            Function 00FD0C79 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3510 fd0c79-fd0c80 3511 fd0c86-fd0c90 3510->3511 3512 fd0f50-fd1023 call fd00e4 3510->3512 3511->3512 3513 fd0c96-fd0ca6 3511->3513 3523 fd1028 3512->3523 3513->3512 3515 fd0cac-fd0cb6 3513->3515 3515->3512 3517 fd0cbc-fd0ccc 3515->3517 3517->3512 3518 fd0cd2-fd0cdc 3517->3518 3518->3512 3520 fd0ce2-fd0cf2 3518->3520 3520->3512 3522 fd0cf8-fd0d02 3520->3522 3522->3512 3524 fd0d08-fd0d18 3522->3524 3525 fd102d-fd1042 3523->3525 3524->3512 3526 fd0d1e-fd0d28 3524->3526 3527 fd113c-fd1185 call fd00f4 3525->3527 3528 fd1048 3525->3528 3526->3512 3529 fd0d2e-fd0d3e 3526->3529 3555 fd1187 call fd1edf 3527->3555 3556 fd1187 call fd1c0b 3527->3556 3557 fd1187 call fd1a26 3527->3557 3558 fd1187 call fd1ab0 3527->3558 3528->3523 3528->3527 3531 fd104f-fd1053 3528->3531 3532 fd10de-fd110c 3528->3532 3533 fd10cb-fd10d9 3528->3533 3534 fd1075-fd1081 3528->3534 3535 fd1096-fd10c6 3528->3535 3536 fd1111-fd1118 call fd1470 3528->3536 3537 fd1063-fd1073 3528->3537 3529->3512 3530 fd0d44-fd0d4e 3529->3530 3530->3512 3538 fd0d54-fd0d63 3530->3538 3540 fd105c 3531->3540 3541 fd1055-fd105a 3531->3541 3532->3525 3533->3525 3549 fd1089-fd1094 3534->3549 3535->3525 3544 fd111e-fd1137 3536->3544 3537->3525 3538->3512 3542 fd1061 3540->3542 3541->3542 3542->3525 3544->3525 3549->3525 3554 fd118d-fd1196 3555->3554 3556->3554 3557->3554 3558->3554
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: b1b453d8730dd296cfe60535172ef5c5b28dcdec7dd7ba29286ad9e0380e35e9
                            • Instruction ID: 2c26f86ce502cff3fb72b0e30c9055c2cba886aa9ce97e621c756b15f7fbb48a
                            • Opcode Fuzzy Hash: b1b453d8730dd296cfe60535172ef5c5b28dcdec7dd7ba29286ad9e0380e35e9
                            • Instruction Fuzzy Hash: F1A1BE71A052448FC705DFA8C9589ADBFF2FF49310F19C0ABE458AB766CA31D805DB51
                            Function 00FD0D6E Relevance: 2.8, Strings: 2, Instructions: 255COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3560 fd0d6e-fd0d6f 3561 fd0dce-fd0de9 3560->3561 3562 fd0d71 3560->3562 3563 fd0def-fd0df8 3561->3563 3564 fd0f50-fd1023 call fd00e4 3561->3564 3565 fd0d2d-fd0d3b 3562->3565 3566 fd0d73-fd0d85 3562->3566 3563->3564 3576 fd1028 3564->3576 3567 fd0d3d-fd0d3f 3565->3567 3568 fd0d41-fd0d4e 3565->3568 3566->3561 3567->3568 3568->3564 3571 fd0d4f-fd0d61 3568->3571 3571->3565 3573 fd0d63 3571->3573 3573->3560 3577 fd102d-fd1042 3576->3577 3578 fd113c-fd1168 call fd00f4 3577->3578 3579 fd1048 3577->3579 3601 fd116e-fd1185 3578->3601 3579->3576 3579->3578 3580 fd104f-fd1053 3579->3580 3581 fd10de-fd110c 3579->3581 3582 fd10cb-fd10d9 3579->3582 3583 fd1075 3579->3583 3584 fd1096-fd10c6 3579->3584 3585 fd1111-fd1118 call fd1470 3579->3585 3586 fd1063-fd1073 3579->3586 3588 fd105c 3580->3588 3589 fd1055-fd105a 3580->3589 3581->3577 3582->3577 3591 fd107f-fd1081 3583->3591 3584->3577 3592 fd111e-fd1137 3585->3592 3586->3577 3590 fd1061 3588->3590 3589->3590 3590->3577 3597 fd1089-fd1094 3591->3597 3592->3577 3597->3577 3603 fd1187 call fd1edf 3601->3603 3604 fd1187 call fd1c0b 3601->3604 3605 fd1187 call fd1a26 3601->3605 3606 fd1187 call fd1ab0 3601->3606 3602 fd118d-fd1196 3603->3602 3604->3602 3605->3602 3606->3602
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: aec8975c244243ca6d70a91bfe6ed358bee998b42fe69a4e1e660b7adf7eb165
                            • Instruction ID: a34ef071529f5fd056cafa6228ec33d28eae33c1a766062a501da643d7aeed24
                            • Opcode Fuzzy Hash: aec8975c244243ca6d70a91bfe6ed358bee998b42fe69a4e1e660b7adf7eb165
                            • Instruction Fuzzy Hash: 9A912971A092858FCB06DFB4C85966ABFB2FF46300F19809FD5519F293CA358806DB51
                            Function 00FD0BFA Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3608 fd0bfa-fd0c0c 3609 fd0f50-fd1023 call fd00e4 3608->3609 3610 fd0c12-fd0c28 3608->3610 3618 fd1028 3609->3618 3610->3609 3611 fd0c2e-fd0c44 3610->3611 3611->3609 3613 fd0c4a-fd0c57 3611->3613 3613->3609 3615 fd0c5d-fd0c6f 3613->3615 3615->3609 3619 fd102d-fd1042 3618->3619 3620 fd113c-fd1185 call fd00f4 3619->3620 3621 fd1048 3619->3621 3645 fd1187 call fd1edf 3620->3645 3646 fd1187 call fd1c0b 3620->3646 3647 fd1187 call fd1a26 3620->3647 3648 fd1187 call fd1ab0 3620->3648 3621->3618 3621->3620 3622 fd104f-fd1053 3621->3622 3623 fd10de-fd110c 3621->3623 3624 fd10cb-fd10d9 3621->3624 3625 fd1075-fd1081 3621->3625 3626 fd1096-fd10c6 3621->3626 3627 fd1111-fd1118 call fd1470 3621->3627 3628 fd1063-fd1073 3621->3628 3630 fd105c 3622->3630 3631 fd1055-fd105a 3622->3631 3623->3619 3624->3619 3639 fd1089-fd1094 3625->3639 3626->3619 3634 fd111e-fd1137 3627->3634 3628->3619 3632 fd1061 3630->3632 3631->3632 3632->3619 3634->3619 3639->3619 3644 fd118d-fd1196 3645->3644 3646->3644 3647->3644 3648->3644
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: a8cbe41e7dc55c0063e4f4067f045031a658f15757fe63c402f08c2553347bf9
                            • Instruction ID: 931594acbdcbd100e762a6150b62d7bcb9b4efa385fb77ce8782812b707c70b6
                            • Opcode Fuzzy Hash: a8cbe41e7dc55c0063e4f4067f045031a658f15757fe63c402f08c2553347bf9
                            • Instruction Fuzzy Hash: 5A910931A192898FC705DFB8C8945AEFFB2FF45300F29809FD451AB252CA359D06DB91
                            Function 00FD0A7D Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3650 fd0a7d-fd0a84 3651 fd0a8a-fd0a94 3650->3651 3652 fd0f50-fd1023 call fd00e4 3650->3652 3651->3652 3653 fd0a9a-fd0aaa 3651->3653 3662 fd1028 3652->3662 3653->3652 3654 fd0ab0-fd0aba 3653->3654 3654->3652 3656 fd0ac0-fd0ad0 3654->3656 3656->3652 3658 fd0ad6-fd0ae0 3656->3658 3658->3652 3659 fd0ae6-fd0af5 3658->3659 3659->3652 3663 fd102d-fd1042 3662->3663 3664 fd113c-fd1185 call fd00f4 3663->3664 3665 fd1048 3663->3665 3689 fd1187 call fd1edf 3664->3689 3690 fd1187 call fd1c0b 3664->3690 3691 fd1187 call fd1a26 3664->3691 3692 fd1187 call fd1ab0 3664->3692 3665->3662 3665->3664 3666 fd104f-fd1053 3665->3666 3667 fd10de-fd110c 3665->3667 3668 fd10cb-fd10d9 3665->3668 3669 fd1075-fd1081 3665->3669 3670 fd1096-fd10c6 3665->3670 3671 fd1111-fd1118 call fd1470 3665->3671 3672 fd1063-fd1073 3665->3672 3674 fd105c 3666->3674 3675 fd1055-fd105a 3666->3675 3667->3663 3668->3663 3683 fd1089-fd1094 3669->3683 3670->3663 3678 fd111e-fd1137 3671->3678 3672->3663 3676 fd1061 3674->3676 3675->3676 3676->3663 3678->3663 3683->3663 3688 fd118d-fd1196 3689->3688 3690->3688 3691->3688 3692->3688
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 7583b5d75e04dc3e6c2959af31a65bc887c34381bf717f7591265b621459f872
                            • Instruction ID: 4e60119aed5468773f3dcb218c13477e525d1387a73e988d996db8b5e2c9e420
                            • Opcode Fuzzy Hash: 7583b5d75e04dc3e6c2959af31a65bc887c34381bf717f7591265b621459f872
                            • Instruction Fuzzy Hash: 1981D431A092858FC705DFB8C8595AEBFB2FF46300F19C0ABD455AB762CA31D906DB91
                            Function 00FD095C Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3694 fd095c-fd0968 3695 fd096e-fd097b 3694->3695 3696 fd0f50-fd1023 call fd00e4 3694->3696 3695->3696 3697 fd0981-fd098a 3695->3697 3705 fd1028 3696->3705 3697->3696 3699 fd0905-fd091a 3697->3699 3700 fd0f49-fd0f4f 3699->3700 3701 fd0920 3699->3701 3701->3700 3706 fd102d-fd1042 3705->3706 3707 fd113c-fd1185 call fd00f4 3706->3707 3708 fd1048 3706->3708 3733 fd1187 call fd1edf 3707->3733 3734 fd1187 call fd1c0b 3707->3734 3735 fd1187 call fd1a26 3707->3735 3736 fd1187 call fd1ab0 3707->3736 3708->3705 3708->3707 3709 fd104f-fd1053 3708->3709 3710 fd10de-fd110c 3708->3710 3711 fd10cb-fd10d9 3708->3711 3712 fd1075-fd1081 3708->3712 3713 fd1096-fd10c6 3708->3713 3714 fd1111-fd1118 call fd1470 3708->3714 3715 fd1063-fd1073 3708->3715 3717 fd105c 3709->3717 3718 fd1055-fd105a 3709->3718 3710->3706 3711->3706 3726 fd1089-fd1094 3712->3726 3713->3706 3721 fd111e-fd1137 3714->3721 3715->3706 3719 fd1061 3717->3719 3718->3719 3719->3706 3721->3706 3726->3706 3731 fd118d-fd1196 3733->3731 3734->3731 3735->3731 3736->3731
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 1a2f209306a9a362264c5ba6479719e85b699a0c4f87e1ce873bb3ed2fc5f44e
                            • Instruction ID: dc759a01b2ce93ae56c96856f83bc2aa194f08260914a7f89187b9cf4bfdb24a
                            • Opcode Fuzzy Hash: 1a2f209306a9a362264c5ba6479719e85b699a0c4f87e1ce873bb3ed2fc5f44e
                            • Instruction Fuzzy Hash: C681F631A092858FC705DFB8C85966EBFA3FF86300F1984AFD5519B392CA358906DB91
                            Function 00FD0E49 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3737 fd0e49-fd0e4b 3738 fd0e4d 3737->3738 3739 fd0e55-fd0e59 3737->3739 3738->3739 3740 fd0e5f-fd0e69 3739->3740 3741 fd0f50-fd1023 call fd00e4 3739->3741 3740->3741 3742 fd0e6f-fd0e79 3740->3742 3748 fd1028 3741->3748 3742->3741 3744 fd0e7f-fd0e8d 3742->3744 3744->3741 3749 fd102d-fd1042 3748->3749 3750 fd113c-fd1185 call fd00f4 3749->3750 3751 fd1048 3749->3751 3775 fd1187 call fd1edf 3750->3775 3776 fd1187 call fd1c0b 3750->3776 3777 fd1187 call fd1a26 3750->3777 3778 fd1187 call fd1ab0 3750->3778 3751->3748 3751->3750 3752 fd104f-fd1053 3751->3752 3753 fd10de-fd110c 3751->3753 3754 fd10cb-fd10d9 3751->3754 3755 fd1075-fd1081 3751->3755 3756 fd1096-fd10c6 3751->3756 3757 fd1111-fd1118 call fd1470 3751->3757 3758 fd1063-fd1073 3751->3758 3760 fd105c 3752->3760 3761 fd1055-fd105a 3752->3761 3753->3749 3754->3749 3769 fd1089-fd1094 3755->3769 3756->3749 3764 fd111e-fd1137 3757->3764 3758->3749 3762 fd1061 3760->3762 3761->3762 3762->3749 3764->3749 3769->3749 3774 fd118d-fd1196 3775->3774 3776->3774 3777->3774 3778->3774
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 92480d75735f65ee14108df4a8609b0ba4976c54654cdea000da799cff5e2069
                            • Instruction ID: 5377bedf40c54669350955cd6c557b413126ba83ff7c36188f9c98c1ce07420b
                            • Opcode Fuzzy Hash: 92480d75735f65ee14108df4a8609b0ba4976c54654cdea000da799cff5e2069
                            • Instruction Fuzzy Hash: C8712731A092858FC705DFB8C85966EBFB3FF86310F19C0AFD4519B292CA358906DB91
                            Function 00FD0A41 Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3780 fd0a41-fd0a60 3781 fd0a66-fd0a73 3780->3781 3782 fd0f50-fd1023 call fd00e4 3780->3782 3781->3782 3787 fd1028 3782->3787 3788 fd102d-fd1042 3787->3788 3789 fd113c-fd1185 call fd00f4 3788->3789 3790 fd1048 3788->3790 3815 fd1187 call fd1edf 3789->3815 3816 fd1187 call fd1c0b 3789->3816 3817 fd1187 call fd1a26 3789->3817 3818 fd1187 call fd1ab0 3789->3818 3790->3787 3790->3789 3791 fd104f-fd1053 3790->3791 3792 fd10de-fd110c 3790->3792 3793 fd10cb-fd10d9 3790->3793 3794 fd1075-fd1081 3790->3794 3795 fd1096-fd10c6 3790->3795 3796 fd1111-fd1118 call fd1470 3790->3796 3797 fd1063-fd1073 3790->3797 3799 fd105c 3791->3799 3800 fd1055-fd105a 3791->3800 3792->3788 3793->3788 3808 fd1089-fd1094 3794->3808 3795->3788 3803 fd111e-fd1137 3796->3803 3797->3788 3801 fd1061 3799->3801 3800->3801 3801->3788 3803->3788 3808->3788 3813 fd118d-fd1196 3815->3813 3816->3813 3817->3813 3818->3813
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 45af326ea1149f5906958cb1f23bc26d491f4baff12104e1489c25928092e82b
                            • Instruction ID: 1f8115a720a99ee24a295d4dc236fe0bd92a315b982bc5c3b68328b967c6464c
                            • Opcode Fuzzy Hash: 45af326ea1149f5906958cb1f23bc26d491f4baff12104e1489c25928092e82b
                            • Instruction Fuzzy Hash: 58712931A192858FC705DFB8C8596AEBFB2FF46300F1980AFD5519B392CA358906DB91
                            Function 00FD0B13 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3819 fd0b13-fd0b28 3821 fd0b2e-fd0b38 3819->3821 3822 fd0f50-fd1023 call fd00e4 3819->3822 3821->3822 3823 fd0b3e-fd0b4d 3821->3823 3828 fd1028 3822->3828 3823->3822 3829 fd102d-fd1042 3828->3829 3830 fd113c-fd1185 call fd00f4 3829->3830 3831 fd1048 3829->3831 3856 fd1187 call fd1edf 3830->3856 3857 fd1187 call fd1c0b 3830->3857 3858 fd1187 call fd1a26 3830->3858 3859 fd1187 call fd1ab0 3830->3859 3831->3828 3831->3830 3832 fd104f-fd1053 3831->3832 3833 fd10de-fd110c 3831->3833 3834 fd10cb-fd10d9 3831->3834 3835 fd1075-fd1081 3831->3835 3836 fd1096-fd10c6 3831->3836 3837 fd1111-fd1118 call fd1470 3831->3837 3838 fd1063-fd1073 3831->3838 3840 fd105c 3832->3840 3841 fd1055-fd105a 3832->3841 3833->3829 3834->3829 3849 fd1089-fd1094 3835->3849 3836->3829 3844 fd111e-fd1137 3837->3844 3838->3829 3842 fd1061 3840->3842 3841->3842 3842->3829 3844->3829 3849->3829 3854 fd118d-fd1196 3856->3854 3857->3854 3858->3854 3859->3854
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: e327e3ee28c826ace994a2454cdc8ec53a2e275ac173ce6bc051f9b908434640
                            • Instruction ID: 012144c9e04fd98a8651173839dc39734266ae57edf7c245aba3fadbbd4d5e24
                            • Opcode Fuzzy Hash: e327e3ee28c826ace994a2454cdc8ec53a2e275ac173ce6bc051f9b908434640
                            • Instruction Fuzzy Hash: 77710831A092858FC705DFB8C85966DBFB2FF86300F19C0AFD5559B2A2CA358D06DB91
                            Function 00FD0DC2 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3860 fd0dc2-fd0dc9 3861 fd0dcf-fd0dd9 3860->3861 3862 fd0f50-fd1023 call fd00e4 3860->3862 3861->3862 3863 fd0ddf-fd0de9 3861->3863 3869 fd1028 3862->3869 3863->3862 3865 fd0def-fd0df8 3863->3865 3865->3862 3870 fd102d-fd1042 3869->3870 3871 fd113c-fd1185 call fd00f4 3870->3871 3872 fd1048 3870->3872 3896 fd1187 call fd1edf 3871->3896 3897 fd1187 call fd1c0b 3871->3897 3898 fd1187 call fd1a26 3871->3898 3899 fd1187 call fd1ab0 3871->3899 3872->3869 3872->3871 3873 fd104f-fd1053 3872->3873 3874 fd10de-fd110c 3872->3874 3875 fd10cb-fd10d9 3872->3875 3876 fd1075-fd1081 3872->3876 3877 fd1096-fd10c6 3872->3877 3878 fd1111-fd1118 call fd1470 3872->3878 3879 fd1063-fd1073 3872->3879 3881 fd105c 3873->3881 3882 fd1055-fd105a 3873->3882 3874->3870 3875->3870 3890 fd1089-fd1094 3876->3890 3877->3870 3885 fd111e-fd1137 3878->3885 3879->3870 3883 fd1061 3881->3883 3882->3883 3883->3870 3885->3870 3890->3870 3895 fd118d-fd1196 3896->3895 3897->3895 3898->3895 3899->3895
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 6f16075a1e9a192b790c0d9797bc6a5d2076e7656fcf70564e1414b48bc2ab4c
                            • Instruction ID: 0a1d701a2eb0d086f4f97d38784b8d6bc48c3e3b434a5c66a637fd26b902ecbc
                            • Opcode Fuzzy Hash: 6f16075a1e9a192b790c0d9797bc6a5d2076e7656fcf70564e1414b48bc2ab4c
                            • Instruction Fuzzy Hash: 49711B31A192858FC705DFB8C8596AEBFB2FF46300F19C0AFD5519B2A2CA358D06DB51
                            Function 00FD0E02 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3901 fd0e02-fd0e09 3902 fd0e0f-fd0e19 3901->3902 3903 fd0f50-fd1023 call fd00e4 3901->3903 3902->3903 3904 fd0e1f-fd0e29 3902->3904 3910 fd1028 3903->3910 3904->3903 3906 fd0e2f-fd0e38 3904->3906 3906->3903 3911 fd102d-fd1042 3910->3911 3912 fd113c-fd1185 call fd00f4 3911->3912 3913 fd1048 3911->3913 3938 fd1187 call fd1edf 3912->3938 3939 fd1187 call fd1c0b 3912->3939 3940 fd1187 call fd1a26 3912->3940 3941 fd1187 call fd1ab0 3912->3941 3913->3910 3913->3912 3914 fd104f-fd1053 3913->3914 3915 fd10de-fd110c 3913->3915 3916 fd10cb-fd10d9 3913->3916 3917 fd1075-fd1081 3913->3917 3918 fd1096-fd10c6 3913->3918 3919 fd1111-fd1118 call fd1470 3913->3919 3920 fd1063-fd1073 3913->3920 3922 fd105c 3914->3922 3923 fd1055-fd105a 3914->3923 3915->3911 3916->3911 3931 fd1089-fd1094 3917->3931 3918->3911 3926 fd111e-fd1137 3919->3926 3920->3911 3924 fd1061 3922->3924 3923->3924 3924->3911 3926->3911 3931->3911 3936 fd118d-fd1196 3938->3936 3939->3936 3940->3936 3941->3936
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 1cd6bb9426778efc7edd0c3c8223f0be2ef1187f0e7c03c913ef8e8c718e08e8
                            • Instruction ID: 90c66c90ab5ec797566fd7c40478d42aabbc969c53d9c6547e5794bbfe497182
                            • Opcode Fuzzy Hash: 1cd6bb9426778efc7edd0c3c8223f0be2ef1187f0e7c03c913ef8e8c718e08e8
                            • Instruction Fuzzy Hash: 75712931A192858FC705DFB8C8596AEBFB2FF46300F19C0AFD4509B692CA358D06DB91
                            Function 00FD09FA Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 5ca6ba7895a1efc5aaf0c7aa50cc0272bed287e75d62b229ed54e5b267c3315b
                            • Instruction ID: 5b05d73492bb88b4324af76b2e94d931687cd97a79e774da708fcea70d1c8257
                            • Opcode Fuzzy Hash: 5ca6ba7895a1efc5aaf0c7aa50cc0272bed287e75d62b229ed54e5b267c3315b
                            • Instruction Fuzzy Hash: 59711A31A092858FC705DFB8C85966DBFB2FF86300F19C0AFD5519B6A2CA358D06DB91
                            Function 00FD0BAD Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: a5268a42e840d371b07f16d64ee168c6d6f279307171719e125ad70b70a46b9f
                            • Instruction ID: cb4fc9790690667d30f213a9e31a46332f8ddb7d1223200c9916687e9f70f5f9
                            • Opcode Fuzzy Hash: a5268a42e840d371b07f16d64ee168c6d6f279307171719e125ad70b70a46b9f
                            • Instruction Fuzzy Hash: 53712A31A192858FC705DFB8C8596AEBFB2FF46300F1980AFD5519B392CA358D06DB51
                            Function 00FD0B77 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 702b8ffe8c4d8b2427f008015a51d3dc2235c68eb949464cc6363bd255b9f92a
                            • Instruction ID: 46d1794bea0f9eec6ed9669906013d612be455f840d2e7cf3272a05659b9c25e
                            • Opcode Fuzzy Hash: 702b8ffe8c4d8b2427f008015a51d3dc2235c68eb949464cc6363bd255b9f92a
                            • Instruction Fuzzy Hash: CE712A31A1A2858FC705DFB8CC5966DBFB2FF46300F1980AFD4519B692CA358D06DB51
                            Function 00FD0EDC Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 95944085774bbf3fca8e2f616a088e0e76c353553d0251cbf10e6a7c967fe3ea
                            • Instruction ID: 072a9433781673e0eada8becf5371271b9a325eb86efe190f6237ece75465894
                            • Opcode Fuzzy Hash: 95944085774bbf3fca8e2f616a088e0e76c353553d0251cbf10e6a7c967fe3ea
                            • Instruction Fuzzy Hash: 9D714C31A192858FC705DFB8CC5966EBFB2FF46300F1980AFD4519B292CA358D06DB51
                            Function 00FD0E98 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 877e5d637fc43c8fb8a44370d25d82f0d57378685b693b4d78439513a648e001
                            • Instruction ID: fa8538ae4116f53b4d59845c119ac0d8c9435cedd29271370aa320adaa2c47c8
                            • Opcode Fuzzy Hash: 877e5d637fc43c8fb8a44370d25d82f0d57378685b693b4d78439513a648e001
                            • Instruction Fuzzy Hash: 2F714A31A092958FC705DFB8CC596AEBFB2FF46310F1980AFD4519B392CA358906DB91
                            Function 00FD0F26 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 8208fdfe8721a318a8211692e3d651feb7cdd25874d3b4c2fec83d3e2aaa4730
                            • Instruction ID: 7e7c8954f18507da85ad89179946054c0141e3cf4d7af091c2f166b8de3707c4
                            • Opcode Fuzzy Hash: 8208fdfe8721a318a8211692e3d651feb7cdd25874d3b4c2fec83d3e2aaa4730
                            • Instruction Fuzzy Hash: F4710931A092858FC705DFB8CC5966DBFB2FF46300F1984AFD5519B292CA358D06DB91
                            Function 00FD0F1B Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: a7f5e5f105b45fe7872f6e01904e1800d18a2cab0a56a3944bbaeddc78902cf7
                            • Instruction ID: 9d50b374929e2c97411b8a6faf68c9289431d6f93b5908bb22f77a94c19b9f65
                            • Opcode Fuzzy Hash: a7f5e5f105b45fe7872f6e01904e1800d18a2cab0a56a3944bbaeddc78902cf7
                            • Instruction Fuzzy Hash: 3151F871A092858FC705DFB8C85966EBFB2FF86300F1980AFD5519B362CA358905DB91
                            Function 00FD0FF8 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: ab439a7e08205655409d0e50122ce88496429185ef12fcaa8d80ee45f20acd98
                            • Instruction ID: a8590a8655f499d4d737eed8d9b9f6d9702566b0739b5ab3699df9452e83d22c
                            • Opcode Fuzzy Hash: ab439a7e08205655409d0e50122ce88496429185ef12fcaa8d80ee45f20acd98
                            • Instruction Fuzzy Hash: 25419071B001199FDB08DFA9C88967EFAB7FF84700F24842AE515EB361CB358D419B91
                            Function 00FD22D1 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: c/(
                            • API String ID: 0-1181213848
                            • Opcode ID: 1063116e03b5d9952a97a9bdfb3e50fe7effe00b0f8b538fdd8ba8a3182caf7e
                            • Instruction ID: 9f14f9e9b06e5d795022632725e2b579a5a55f3564aeedf6f8a89f053d66259f
                            • Opcode Fuzzy Hash: 1063116e03b5d9952a97a9bdfb3e50fe7effe00b0f8b538fdd8ba8a3182caf7e
                            • Instruction Fuzzy Hash: 86A1247251D2958FC745CF78C895595BFA2FB2230071982ABD8928B652C730EA46E7C2
                            Function 00FD23B8 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: c/(
                            • API String ID: 0-1181213848
                            • Opcode ID: cb7b23d97cfbf5762f0ae5358730d339c28a44fa12fb20bc18e8b45efc00a911
                            • Instruction ID: 937ec923f1d42c72b09631c771a37853f84c216adc8938f366a7534a69df5284
                            • Opcode Fuzzy Hash: cb7b23d97cfbf5762f0ae5358730d339c28a44fa12fb20bc18e8b45efc00a911
                            • Instruction Fuzzy Hash: 0FA15532618255CFC385CF28C880915BBB2FB25300B5A866BD856DB762C734ED06FBD2
                            Function 0A8336F0 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661034081.000000000A820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A820000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a820000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a849c343911db604073f09eda20195b7cd6b950d370f38e302455a2d0ff2b24a
                            • Instruction ID: 8321983b311ea56097af19adfd30afb621c475a6631f5883038178c41d40f051
                            • Opcode Fuzzy Hash: a849c343911db604073f09eda20195b7cd6b950d370f38e302455a2d0ff2b24a
                            • Instruction Fuzzy Hash: FB41497BF1810BAB87589AB9CD8207FB666EBC42053154C369802DF3A0DF34CE0187D2
                            Function 6CF95898 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3204 6cf95898-6cf958ab call 6cf960f0 3207 6cf958ad-6cf958af 3204->3207 3208 6cf958b1-6cf958d3 call 6cf95ce0 3204->3208 3209 6cf9591a-6cf95929 3207->3209 3212 6cf95940-6cf95959 call 6cf95f7a call 6cf960f0 3208->3212 3213 6cf958d5-6cf95918 call 6cf95dab call 6cf95c67 call 6cf960c3 call 6cf9592d call 6cf95f4c call 6cf9593a 3208->3213 3224 6cf9595b-6cf95961 3212->3224 3225 6cf9596a-6cf95971 3212->3225 3213->3209 3224->3225 3227 6cf95963-6cf95965 3224->3227 3228 6cf9597d-6cf95991 dllmain_raw 3225->3228 3229 6cf95973-6cf95976 3225->3229 3231 6cf95a43-6cf95a52 3227->3231 3234 6cf95a3a-6cf95a41 3228->3234 3235 6cf95997-6cf959a8 dllmain_crt_dispatch 3228->3235 3229->3228 3232 6cf95978-6cf9597b 3229->3232 3236 6cf959ae-6cf959c0 call 6cf94f10 3232->3236 3234->3231 3235->3234 3235->3236 3243 6cf959e9-6cf959eb 3236->3243 3244 6cf959c2-6cf959c4 3236->3244 3246 6cf959ed-6cf959f0 3243->3246 3247 6cf959f2-6cf95a03 dllmain_crt_dispatch 3243->3247 3244->3243 3245 6cf959c6-6cf959e4 call 6cf94f10 call 6cf95898 dllmain_raw 3244->3245 3245->3243 3246->3234 3246->3247 3247->3234 3249 6cf95a05-6cf95a37 dllmain_raw 3247->3249 3249->3234
                            APIs
                            • __RTC_Initialize.LIBCMT ref: 6CF958DF
                            • ___scrt_uninitialize_crt.LIBCMT ref: 6CF958F9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize___scrt_uninitialize_crt
                            • String ID:
                            • API String ID: 2442719207-0
                            • Opcode ID: c7ed2a7a7518642a3d94ea5ab6efd1f666b4b768e1647c6f7f2025cec611359f
                            • Instruction ID: 85e038c858ea788bc5995b30d81e3b2bac8e0fae638d74852a701901c7faa4b5
                            • Opcode Fuzzy Hash: c7ed2a7a7518642a3d94ea5ab6efd1f666b4b768e1647c6f7f2025cec611359f
                            • Instruction Fuzzy Hash: 1E41D772E05225EFFF118F69C880F9E7AB4EB857AEF114316E82567B50C7314D458BA0
                            Function 6CF95948 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3254 6cf95948-6cf95959 call 6cf960f0 3257 6cf9595b-6cf95961 3254->3257 3258 6cf9596a-6cf95971 3254->3258 3257->3258 3259 6cf95963-6cf95965 3257->3259 3260 6cf9597d-6cf95991 dllmain_raw 3258->3260 3261 6cf95973-6cf95976 3258->3261 3262 6cf95a43-6cf95a52 3259->3262 3264 6cf95a3a-6cf95a41 3260->3264 3265 6cf95997-6cf959a8 dllmain_crt_dispatch 3260->3265 3261->3260 3263 6cf95978-6cf9597b 3261->3263 3266 6cf959ae-6cf959c0 call 6cf94f10 3263->3266 3264->3262 3265->3264 3265->3266 3269 6cf959e9-6cf959eb 3266->3269 3270 6cf959c2-6cf959c4 3266->3270 3272 6cf959ed-6cf959f0 3269->3272 3273 6cf959f2-6cf95a03 dllmain_crt_dispatch 3269->3273 3270->3269 3271 6cf959c6-6cf959e4 call 6cf94f10 call 6cf95898 dllmain_raw 3270->3271 3271->3269 3272->3264 3272->3273 3273->3264 3275 6cf95a05-6cf95a37 dllmain_raw 3273->3275 3275->3264
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: dllmain_raw$dllmain_crt_dispatch
                            • String ID:
                            • API String ID: 3136044242-0
                            • Opcode ID: 163f115904895e48df2afca96c0b8d1a41b4e3012ce651ed5cf98f56573dc83e
                            • Instruction ID: afac10e1f2aa6486bc15c70959487e53b703dedd01b95a8fb5ee558dc37b6807
                            • Opcode Fuzzy Hash: 163f115904895e48df2afca96c0b8d1a41b4e3012ce651ed5cf98f56573dc83e
                            • Instruction Fuzzy Hash: 9621A672D05225EFFF218F55C880EAF7A78EB816AEB014315F81457A10C3318D058B90
                            Function 6CF95791 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3447 6cf95791-6cf9579f call 6cf960f0 call 6cf95ddb 3451 6cf957a4-6cf957a7 3447->3451 3452 6cf957ad-6cf957c5 call 6cf95ce0 3451->3452 3453 6cf9587e 3451->3453 3457 6cf957cb-6cf957dc call 6cf95d3d 3452->3457 3458 6cf95890-6cf95897 call 6cf95f7a 3452->3458 3455 6cf95880-6cf9588f 3453->3455 3463 6cf9582b-6cf95839 call 6cf95874 3457->3463 3464 6cf957de-6cf95800 call 6cf96097 call 6cf95c5b call 6cf95c7f call 6cf98757 3457->3464 3463->3453 3469 6cf9583b-6cf95845 call 6cf95f74 3463->3469 3464->3463 3483 6cf95802-6cf95809 call 6cf95d12 3464->3483 3475 6cf95847-6cf95850 call 6cf95e9b 3469->3475 3476 6cf95866-6cf9586f 3469->3476 3475->3476 3482 6cf95852-6cf95864 3475->3482 3476->3455 3482->3476 3483->3463 3487 6cf9580b-6cf95828 call 6cf9872c 3483->3487 3487->3463
                            APIs
                            • __RTC_Initialize.LIBCMT ref: 6CF957DE
                              • Part of subcall function 6CF95C5B: InitializeSListHead.KERNEL32(6CFF4020,6CF957E8,6CFA7A90,00000010,6CF95779,?,?,?,6CF959A1,?,00000001,?,?,00000001,?,6CFA7AD8), ref: 6CF95C60
                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF95848
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                            • String ID:
                            • API String ID: 3231365870-0
                            • Opcode ID: 16968b564230d94fcaf80769537cfc8cc2cbf15d79ddd680f2247eb749efb889
                            • Instruction ID: 6d0b0b1803f96ca838c0e9383097df902d729d898a4abe758008f1c64c33643a
                            • Opcode Fuzzy Hash: 16968b564230d94fcaf80769537cfc8cc2cbf15d79ddd680f2247eb749efb889
                            • Instruction Fuzzy Hash: 34212132A49201AAFF106BF494087DD7BB09F022AFF21065AD5956BFD1CB23044EC7A2
                            Function 6CF9BDBC Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3490 6cf9bdbc-6cf9bdc1 3491 6cf9bdc3-6cf9bddb 3490->3491 3492 6cf9bde9-6cf9bdf2 3491->3492 3493 6cf9bddd-6cf9bde1 3491->3493 3495 6cf9be04 3492->3495 3496 6cf9bdf4-6cf9bdf7 3492->3496 3493->3492 3494 6cf9bde3-6cf9bde7 3493->3494 3498 6cf9be5e-6cf9be62 3494->3498 3497 6cf9be06-6cf9be13 GetStdHandle 3495->3497 3499 6cf9bdf9-6cf9bdfe 3496->3499 3500 6cf9be00-6cf9be02 3496->3500 3501 6cf9be40-6cf9be52 3497->3501 3502 6cf9be15-6cf9be17 3497->3502 3498->3491 3503 6cf9be68-6cf9be6b 3498->3503 3499->3497 3500->3497 3501->3498 3505 6cf9be54-6cf9be57 3501->3505 3502->3501 3504 6cf9be19-6cf9be22 GetFileType 3502->3504 3504->3501 3506 6cf9be24-6cf9be2d 3504->3506 3505->3498 3507 6cf9be2f-6cf9be33 3506->3507 3508 6cf9be35-6cf9be38 3506->3508 3507->3498 3508->3498 3509 6cf9be3a-6cf9be3e 3508->3509 3509->3498
                            APIs
                            • GetStdHandle.KERNEL32(000000F6), ref: 6CF9BE08
                            • GetFileType.KERNELBASE(00000000), ref: 6CF9BE1A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileHandleType
                            • String ID:
                            • API String ID: 3000768030-0
                            • Opcode ID: ddc8a15bcb163abddc50a6b112437cf87d4eedca84744b7022370ade7f32583c
                            • Instruction ID: a52c3e1c83c3f4ba6aee348e27f4d3b254fd8ceda8b5527a265a21bc243d9445
                            • Opcode Fuzzy Hash: ddc8a15bcb163abddc50a6b112437cf87d4eedca84744b7022370ade7f32583c
                            • Instruction Fuzzy Hash: A111EC726087014AEF305E3E8C99757BAADAB47234B340F5EE2B6C69F1C331D586D684
                            Function 0A835BA8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryW.KERNELBASE(00000000), ref: 0A835C18
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661034081.000000000A820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A820000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a820000_qg155Ew08h.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 20d008cadf3b23910bc20e64dee27d818c6865a9750a6d3c30f9e186921fd491
                            • Instruction ID: f86e8e60ce140c0a2d99aa9ab8533b0fb595b630ab6ac94843db924006bb3555
                            • Opcode Fuzzy Hash: 20d008cadf3b23910bc20e64dee27d818c6865a9750a6d3c30f9e186921fd491
                            • Instruction Fuzzy Hash: EC1112B6D006599FCB14CF9AD944A9EFBF4FB48324F10812AD819A7350C778A944CFE5
                            Function 0A835F38 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • FindCloseChangeNotification.KERNELBASE ref: 0A835F97
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661034081.000000000A820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A820000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a820000_qg155Ew08h.jbxd
                            Similarity
                            • API ID: ChangeCloseFindNotification
                            • String ID:
                            • API String ID: 2591292051-0
                            • Opcode ID: 5f746d9889ea297ec545c25c4f64acda604c7fefdd967723b7b9694346500375
                            • Instruction ID: 6d1baf86744bbddb8c87db6f0a6b6f6adb2c414b5dfca6d8a54a73f7146a2c47
                            • Opcode Fuzzy Hash: 5f746d9889ea297ec545c25c4f64acda604c7fefdd967723b7b9694346500375
                            • Instruction Fuzzy Hash: 361133B2800249CFCB20DF9AC544BDEBBF4EF48324F21846AD558A7350D778A944CFA5
                            Function 00FD3A38 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: P n
                            • API String ID: 0-2893258591
                            • Opcode ID: 62aeb1b4001b587fece7976204c67b7794b872d9930bf3419062cede45200c53
                            • Instruction ID: 0c492b10058426e0a615b92849334198b903d154aa6369967984d276cea9e2af
                            • Opcode Fuzzy Hash: 62aeb1b4001b587fece7976204c67b7794b872d9930bf3419062cede45200c53
                            • Instruction Fuzzy Hash: FD014E31D142484FD70487B948005AF7FE7BF85310F14863AD456FB3C1D6388906E752
                            Function 00FD1A26 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cf25bc886a8a3a43ec4214755043cafde55d96ebb674a823336949590269242
                            • Instruction ID: 09ab68ab47c186f6107d73e83c4ed66c387dbc21d089cfae04b4b749553d1449
                            • Opcode Fuzzy Hash: 7cf25bc886a8a3a43ec4214755043cafde55d96ebb674a823336949590269242
                            • Instruction Fuzzy Hash: 37410171E04249DFCB15CBA8C8611AEBBB3FF89300F28852BE445EB711D7349A06DB91
                            Function 00FD3AA5 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 05c4e94c658170baa2db72587169d591aed6ff7a94ca0a593ffa3097a6c89767
                            • Instruction ID: 682829c630ae17be9fe72b6196d7deec8e5c33832c2cd551632f632c29ee8c10
                            • Opcode Fuzzy Hash: 05c4e94c658170baa2db72587169d591aed6ff7a94ca0a593ffa3097a6c89767
                            • Instruction Fuzzy Hash: 6F413732A2E2C58FC751C734C9A6159BFA3EF42200719C9EBC5D497A86C2688947EB53
                            Function 00FD1470 Relevance: .1, Instructions: 107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b806335d37fc53eacacab503f03e00771df46a4003bcf894eafd3b42fcf942e8
                            • Instruction ID: 933cfb41211382c9a8f070cc0c460e52f31c02cbb4c36d8458ebc196dcc944f8
                            • Opcode Fuzzy Hash: b806335d37fc53eacacab503f03e00771df46a4003bcf894eafd3b42fcf942e8
                            • Instruction Fuzzy Hash: C631DA76E042599FCB05CBAAD8505AEBBF3BFCA300B298157E406EB361D3349D06DB51
                            Function 00FD1AB0 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df64c71cafab3f96d074e81200fa45e08e4cf070d5f23aa01112653381191957
                            • Instruction ID: b234890f60cb8a329a7b69e083d97f85ac21d6ef2f285d78d6e82c99edf64900
                            • Opcode Fuzzy Hash: df64c71cafab3f96d074e81200fa45e08e4cf070d5f23aa01112653381191957
                            • Instruction Fuzzy Hash: 34110371E145989FDB19CBA8C85159EBBF7BFCA300B288557E401E7320D7708802DB50
                            Function 00FD1679 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db594a092cb1ed8367d7d225363dba8a60acc2739d09bba78fce19bdd26da414
                            • Instruction ID: 83069b796d101b93c565524cfb0e62caef06db11488f18da7fa6c24219c5edc5
                            • Opcode Fuzzy Hash: db594a092cb1ed8367d7d225363dba8a60acc2739d09bba78fce19bdd26da414
                            • Instruction Fuzzy Hash: 70012466B096816FC305CE7A2940052FFE7BBC631071CC27BD009C7722C764D815E791
                            Function 00FD2750 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5b7e8982665ad8c755ff3ff45733f8fa20ccb85d3c4b63a7fe5597627855cd2
                            • Instruction ID: c156b9f700500df635c78e961c2409fa4ac079e71ebe737130e078eaeb7639c3
                            • Opcode Fuzzy Hash: d5b7e8982665ad8c755ff3ff45733f8fa20ccb85d3c4b63a7fe5597627855cd2
                            • Instruction Fuzzy Hash: 3F017B3120C2C18FC76A4739A81045BBF93DFE322531C85AFE05BCB361CA25D907A751
                            Function 00FD27E8 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42c4c43dedb1f396e729c6d72974443beb53fb888a5302ea04a4f47bc83c2919
                            • Instruction ID: 009d2381dd4344a47121a2f9ddc35c2df1e72a4e53a2bf8edc6e21b585006791
                            • Opcode Fuzzy Hash: 42c4c43dedb1f396e729c6d72974443beb53fb888a5302ea04a4f47bc83c2919
                            • Instruction Fuzzy Hash: CC017D767096844FD3068B3A4C84A26FFE7EBC9310B28C06BE50DC7BA1CA348C05D780
                            Function 00FD15E0 Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dce38c54921e124e7b15e3c4c5a5f5d16bd4163e5cebe4267daf8e3f11c6b316
                            • Instruction ID: e2d52f8e37b6ef7b035eb26521cd35e2b8da8adbd597d7cf04391b4091b48d73
                            • Opcode Fuzzy Hash: dce38c54921e124e7b15e3c4c5a5f5d16bd4163e5cebe4267daf8e3f11c6b316
                            • Instruction Fuzzy Hash: 03018633304284DBD7609A599580753B7E7FB993607AC4D3BE047CBB14C675E880A701
                            Function 00FD27F8 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e48235de5ec40fc15acb13b4473136620b99690f85d56f987e4420c2dedb47e
                            • Instruction ID: f5b6cf4af092c7c941f1e22ff944ff4260c4cdb317f5e659b509436470351c98
                            • Opcode Fuzzy Hash: 1e48235de5ec40fc15acb13b4473136620b99690f85d56f987e4420c2dedb47e
                            • Instruction Fuzzy Hash: C1F090767005095BD3589A3E9D84A26FACBF7C8760B24C42BE50DC7794DA31DC15A6D0
                            Function 00FD0839 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fcc903a678a890fcf584f53142ad83abd91f8e0846888093277f95605c2d460
                            • Instruction ID: 00611f5f00103a0cdb1de2a9491bb753e9831ce5c27782b98da0d7c7efb61b2d
                            • Opcode Fuzzy Hash: 6fcc903a678a890fcf584f53142ad83abd91f8e0846888093277f95605c2d460
                            • Instruction Fuzzy Hash: 5BF06274D05209EFCB44DFB8D98968DBFB2EB9A600F2485B6D446D7360E6308A15AB40
                            Function 00FD0848 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 82473c396d53519b24960e4731770874ed91eea31f6bc0530f7892ccba95a19c
                            • Instruction ID: 8eeeccdc3969746759f385ab3414626cb242c0289d108dc2981c8a55bfe0f8a8
                            • Opcode Fuzzy Hash: 82473c396d53519b24960e4731770874ed91eea31f6bc0530f7892ccba95a19c
                            • Instruction Fuzzy Hash: 0BF05474E0520DEFCB44DFB8994428DBFF2EB95300F2484B6D845D7364E6309A15A780
                            Function 00FD0934 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d8d07c297f6e880d211307916c4a53edbf4108287715d554c3fa563c1e053df
                            • Instruction ID: c8a1ae7f0f832de8d6f866990aa25682596ceaa759ad9b276ae99ed405d50bfe
                            • Opcode Fuzzy Hash: 6d8d07c297f6e880d211307916c4a53edbf4108287715d554c3fa563c1e053df
                            • Instruction Fuzzy Hash: E0E0C2347211269FCB24AB3CD96823877A3EB94B00F184A37C506D33A5EEB0CC496740
                            Function 00FD1EDF Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b246b3c6fb1e1887afeee67ad201b86339fd675ca4ae42d760aaf4a765f842c
                            • Instruction ID: 7d447917a9797ee92f54e89737b6412c9e41f6487ce1354a44de26b72f85f3cb
                            • Opcode Fuzzy Hash: 8b246b3c6fb1e1887afeee67ad201b86339fd675ca4ae42d760aaf4a765f842c
                            • Instruction Fuzzy Hash: EBE0E275911608DFC714CBA4C58068EBBF6FF8C310F68595AD801A2320C232AE02CE10
                            Function 00FD3F8B Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2dcdab6744efc7a653a1f8c59cede5f2c3b2a3ab98b2ed20214074065e227ec1
                            • Instruction ID: 6a527fa3bb265fbb6b7370ffa9094daba1d7d605f0a2367b9503f4b016c01769
                            • Opcode Fuzzy Hash: 2dcdab6744efc7a653a1f8c59cede5f2c3b2a3ab98b2ed20214074065e227ec1
                            • Instruction Fuzzy Hash: 42C0803BD041158DCA01E754F9005E4FF13D58536575445F7C3645310AC3B103555681
                            Function 00FD1C0B Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd1898d7e154ba3076f58a7840205285746b50e2a60b6cb96b1d24aeaf98e9dc
                            • Instruction ID: b0f88235aa3e1003290900094ce380249fd1483c59907b2cddb8afd1ee52b4a2
                            • Opcode Fuzzy Hash: bd1898d7e154ba3076f58a7840205285746b50e2a60b6cb96b1d24aeaf98e9dc
                            • Instruction Fuzzy Hash: B5C08C6924AB40AA82002F208E141263BA2F6222203182282E852DA432CCA2C693FA81

                            Non-executed Functions

                            Function 6CF95F7A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CF95F86
                            • IsDebuggerPresent.KERNEL32 ref: 6CF96052
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF9606B
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 6CF96075
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                            • String ID:
                            • API String ID: 254469556-0
                            • Opcode ID: 7dc63289fcdb1813f92d59fdd0a6a47bfdc8a3caaa270adcdbc1fb18cc78abea
                            • Instruction ID: b53ac5444a5c981af6d4659acbe7eef715ab5083181d4dc3e4a137b23e635e89
                            • Opcode Fuzzy Hash: 7dc63289fcdb1813f92d59fdd0a6a47bfdc8a3caaa270adcdbc1fb18cc78abea
                            • Instruction Fuzzy Hash: 34310CB5D05218DBEF60DFA5D989BCDBBB8AF08304F10419AE40DAB250E7719A85CF45
                            Function 6CF99F17 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF9A00F
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF9A019
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF9A026
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 9dab437837d49dbc3c840d85b71f1067f5f8ea027fa7d9a44915e91b3aa2ed32
                            • Instruction ID: 6eed1cf17ea3c725ca777047b9a4f19df221b3529cfe4761ba24f3136138dc92
                            • Opcode Fuzzy Hash: 9dab437837d49dbc3c840d85b71f1067f5f8ea027fa7d9a44915e91b3aa2ed32
                            • Instruction Fuzzy Hash: 8631B374D11228ABDF61DF65D888BCDBBB8BF08314F5042DAE41CA7250E7749B858F45
                            Function 6CF81000 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: |'?$|'?
                            • API String ID: 0-911386148
                            • Opcode ID: b455b0aa2276749988312db6239b4820602b900ea6bb25f564eeee80342b69a8
                            • Instruction ID: f3f40d531f30b8cb3a82095369982f03cbceb3768140a7d3b3e763cfae129468
                            • Opcode Fuzzy Hash: b455b0aa2276749988312db6239b4820602b900ea6bb25f564eeee80342b69a8
                            • Instruction Fuzzy Hash: 0B711336B4524A8FDB04CEBCC9917DF7BF2EB4A324F249229C431E7795C23A89459B50
                            Function 6CF94F10 Relevance: 1.8, Strings: 1, Instructions: 570COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: r8"[
                            • API String ID: 0-2432814463
                            • Opcode ID: a9cce3b4dac7e1981f5a91664958fe444d9cecdb7dbf7d4a02f4f644124a8716
                            • Instruction ID: cb8eda54364f7c14929956338f0de127a5a04546274ac4baa4d73a497974ecc7
                            • Opcode Fuzzy Hash: a9cce3b4dac7e1981f5a91664958fe444d9cecdb7dbf7d4a02f4f644124a8716
                            • Instruction Fuzzy Hash: 7F12F476E442098FEF08CEBCE5D07CE7BF2EB4A356F108205D526E7B54C62989068F15
                            Function 6CFA0B65 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CFA0B60,?,?,00000008,?,?,6CFA0763,00000000), ref: 6CFA0D92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionRaise
                            • String ID:
                            • API String ID: 3997070919-0
                            • Opcode ID: 06a8345cff7d6b73c07f31326811433ffda5eec9535042f8147e04610158b7bc
                            • Instruction ID: 46063695fade899ab4b3d86802a1908166281576b1b52c529076086a5a379a96
                            • Opcode Fuzzy Hash: 06a8345cff7d6b73c07f31326811433ffda5eec9535042f8147e04610158b7bc
                            • Instruction Fuzzy Hash: 1FB19C32210648DFD705CF68D486B95BBE0FF05368F258658E8EACF6A1C375E982CB40
                            Function 6CF96138 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                            Download Yara Rule
                            APIs
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF9614E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: FeaturePresentProcessor
                            • String ID:
                            • API String ID: 2325560087-0
                            • Opcode ID: 5482182f7583da8c6408677f8c32a50e69260d7338d33983cb0ee748e719edc3
                            • Instruction ID: 62e3a4699b5503f51a738d76dfdb564f0a94e1f3739128183207e619138a5906
                            • Opcode Fuzzy Hash: 5482182f7583da8c6408677f8c32a50e69260d7338d33983cb0ee748e719edc3
                            • Instruction Fuzzy Hash: 4E517AB1E212098BEF85CF55E58179EBBF4FB89318F21812AE425EB740D374A944CF90
                            Function 00FD2C59 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: eo{
                            • API String ID: 0-14062754
                            • Opcode ID: 52c7281224b7eae250ea9ebac8a75dc9a1f9a7ed461700282bb3f0a6bc6414d8
                            • Instruction ID: 031cc173fc3dc5bf03e35384a2d4a06ab243c9e7fb1f001182e58b518c1f84fa
                            • Opcode Fuzzy Hash: 52c7281224b7eae250ea9ebac8a75dc9a1f9a7ed461700282bb3f0a6bc6414d8
                            • Instruction Fuzzy Hash: E041C2726246068FC794CB29C94165BFBF3FF95310B68C86BD156CB760D234D940EB82
                            Function 00FD2C68 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID: eo{
                            • API String ID: 0-14062754
                            • Opcode ID: 5e946f05f2dfca9ec123a4ac89a5ef777724cd2bf0c30b133362c9339afde884
                            • Instruction ID: 039fbbe35c22ddcbd4564154fa04fe6e6e98d325b968972400aa7fa4ec91ffa7
                            • Opcode Fuzzy Hash: 5e946f05f2dfca9ec123a4ac89a5ef777724cd2bf0c30b133362c9339afde884
                            • Instruction Fuzzy Hash: 15419072624606CFC794CB29C98561BB7F7FB94360B68C82BD126CB764D234E941EF81
                            Function 6CF9BCEB Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapProcess
                            • String ID:
                            • API String ID: 54951025-0
                            • Opcode ID: fbb07a5de19d394ca717b1ecf76dc8a880dde2038170164866ae97d28f33d851
                            • Instruction ID: 4f03f08f4508e74cd66d52f73faec756c88dc4d76798f6783bf494ff6be51006
                            • Opcode Fuzzy Hash: fbb07a5de19d394ca717b1ecf76dc8a880dde2038170164866ae97d28f33d851
                            • Instruction Fuzzy Hash: 91A01130B20200CB8B80CEB2A30A30CBAFCAA02A80302802CA80AC0020EA3880008F02
                            Function 6CFAEB17 Relevance: .8, Instructions: 816COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmp, Offset: 6CFA9000, based on PE: true
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c1c04f1ff6574383b556a6376973668ba126c4031f6106f5aec94510e884408
                            • Instruction ID: 863da2f6b5b5ff2d6e78decb9d98cd9f5e2a9862c919cb69db55b086dfa24942
                            • Opcode Fuzzy Hash: 3c1c04f1ff6574383b556a6376973668ba126c4031f6106f5aec94510e884408
                            • Instruction Fuzzy Hash: E662346144E3C29FD7138B749C746E2BFB0AE5721471E09DBD8C08F4A3E2191A6AD772
                            Function 0A832770 Relevance: .3, Instructions: 337COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661034081.000000000A820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A820000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a820000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72ea17dd4ad6af7d5b0b94d8ee907c370351f5e717124f7738813f3d57072f41
                            • Instruction ID: db3311bc600c03f08576962b7b12a11860c8ccf0d26d21ca4cbe3d435e04559b
                            • Opcode Fuzzy Hash: 72ea17dd4ad6af7d5b0b94d8ee907c370351f5e717124f7738813f3d57072f41
                            • Instruction Fuzzy Hash: 9AD13572B182158FCB15CB69C9815BEFBF2EFD9310B1489AAD496DB255E730EC41CB80
                            Function 6CF88020 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c46b430844fe8ba97a27ad9f074e09fb7f5d024e35265b934fc815f13acb0a81
                            • Instruction ID: 746a23361cfe2d666b247d8b526c3a2e1d5dc2fe5e3861fdbc7589314e98303f
                            • Opcode Fuzzy Hash: c46b430844fe8ba97a27ad9f074e09fb7f5d024e35265b934fc815f13acb0a81
                            • Instruction Fuzzy Hash: AF61E076E166058FCF08CEBCD9846DEBBF2EB4A320F148316E521E77D0D23599058B54
                            Function 00FD3ADA Relevance: .1, Instructions: 132COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7e0a56b83682c021ae43d89d4f53d2dbd7bf71bbe09c69fbc1537bd28e29f0b
                            • Instruction ID: b130d03082adb0ec048311b02fa8b72fd1bc7c41919ef0e96f4f72b67bf57f31
                            • Opcode Fuzzy Hash: b7e0a56b83682c021ae43d89d4f53d2dbd7bf71bbe09c69fbc1537bd28e29f0b
                            • Instruction Fuzzy Hash: F3413572A2E285CFC755CB34C996048BFE3EF06210719CAABC5948BA46C224D947EB43
                            Function 00FD3769 Relevance: .1, Instructions: 110COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0871ad24a14551f5348df2eee60538bf0c053c66c3afb7e4e95294bcb6b1a5ad
                            • Instruction ID: dd5d7fb6048f2655f0c073c69b74ea88c6f584f0cea689638acfd2d938c9806c
                            • Opcode Fuzzy Hash: 0871ad24a14551f5348df2eee60538bf0c053c66c3afb7e4e95294bcb6b1a5ad
                            • Instruction Fuzzy Hash: 0141FDF7F185458FC7008F58CC45A6EBBB6AB89304F288567DA19EB751D134CE01EB92
                            Function 00FD3778 Relevance: .1, Instructions: 105COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93dbc349800d280a8a08f5bda089fcfac19dbe6b96d33461bb2ef06f37a30af5
                            • Instruction ID: 25b69087cfdc94acaf6cf2dd7be0ca518a480eab1920ad03b5eaadecf86bfcd5
                            • Opcode Fuzzy Hash: 93dbc349800d280a8a08f5bda089fcfac19dbe6b96d33461bb2ef06f37a30af5
                            • Instruction Fuzzy Hash: CA31F0F7F185458FC7408F58CC45A6AB7F7AB88304F1885679A19EB750D230DE01EB82
                            Function 00FD3B4F Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1657812644.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_fd0000_qg155Ew08h.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4c0b5e035cebcdabf3a5829a9101d42ccb5ec5ecc17d0168f7a757f91b968c4
                            • Instruction ID: d427a9cd3bff11c5f45b0b31141013245bbf08cd25839aa963d3198b3bb45fab
                            • Opcode Fuzzy Hash: c4c0b5e035cebcdabf3a5829a9101d42ccb5ec5ecc17d0168f7a757f91b968c4
                            • Instruction Fuzzy Hash: 5B21C377E14509CF9B98CB28C640569B7B3BF89300B29C227CA45EB715D378DE42AB53
                            Function 6CF979AA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • type_info::operator==.LIBVCRUNTIME ref: 6CF97AC9
                            • ___TypeMatch.LIBVCRUNTIME ref: 6CF97BD7
                            • _UnwindNestedFrames.LIBCMT ref: 6CF97D29
                            • CallUnexpected.LIBVCRUNTIME ref: 6CF97D44
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                            • String ID: csm$csm$csm
                            • API String ID: 2751267872-393685449
                            • Opcode ID: b26be460ddf7a60d1519a9d3391b2fdc8958922aa384476060b062ba75f98c4d
                            • Instruction ID: dd32fda33698a32c9885ed35c546d664f34dcd04b60ada28a399577515ef78f7
                            • Opcode Fuzzy Hash: b26be460ddf7a60d1519a9d3391b2fdc8958922aa384476060b062ba75f98c4d
                            • Instruction Fuzzy Hash: 51B17871800309EFEF0ACFA5D88099EBBB5FF44318F15425BE811ABA21D731DA65CB91
                            Function 6CF96A50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6CF96A87
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6CF96A8F
                            • _ValidateLocalCookies.LIBCMT ref: 6CF96B18
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6CF96B43
                            • _ValidateLocalCookies.LIBCMT ref: 6CF96B98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 913b982d07dda4c9c1aa2732fbd3e17de350659784b2e4226e3a35f08eecfac1
                            • Instruction ID: b4e980be05b43e8c00d14f97022d5a2be5b2c810f7f2db2a2a7bccc347ab46e5
                            • Opcode Fuzzy Hash: 913b982d07dda4c9c1aa2732fbd3e17de350659784b2e4226e3a35f08eecfac1
                            • Instruction Fuzzy Hash: 3A418E35A00208ABDF40CF69C884A9EBBB5AF4636CF108155F819DBB51E732E905CBD1
                            Function 6CF9B91A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(00000000,?,6CF9BA29,00000000,6CF99230,00000000,00000000,00000001,?,6CF9BBA2,00000022,FlsSetValue,6CFA3CD8,6CFA3CE0,00000000), ref: 6CF9B9DB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeLibrary
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 3664257935-537541572
                            • Opcode ID: d3e9a814941ef8e3b2d2b5c514b36cdf19af689b35d920601f379b68979af0d8
                            • Instruction ID: 45a863d6092e71cd89e7eb30dc4431ffba40ae690310f8d3d161621b533bb090
                            • Opcode Fuzzy Hash: d3e9a814941ef8e3b2d2b5c514b36cdf19af689b35d920601f379b68979af0d8
                            • Instruction Fuzzy Hash: BD21EE32F15214EBEF315A66DC84B4E7779DF43364B250A14E819A7780DB71ED00C6D1
                            Function 6CF96FFE Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000001,?,6CF96C31,6CF95D50,6CF95769,?,6CF959A1,?,00000001,?,?,00000001,?,6CFA7AD8,0000000C,6CF95A9A), ref: 6CF9700C
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF9701A
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF97033
                            • SetLastError.KERNEL32(00000000,6CF959A1,?,00000001,?,?,00000001,?,6CFA7AD8,0000000C,6CF95A9A,?,00000001,?), ref: 6CF97085
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: 4639496f245fd3261dcd81873244d2adf5583468b01fe27f2bb9ad85e7764cd7
                            • Instruction ID: 81c675274075d4ad942aa4073ad2e9c273b55761d90db2c051a8e1b26bcb3f69
                            • Opcode Fuzzy Hash: 4639496f245fd3261dcd81873244d2adf5583468b01fe27f2bb9ad85e7764cd7
                            • Instruction Fuzzy Hash: E7018432B1D3259EBE5519BE7C84A9B7678EB02A7C734032BF664469F0FF5248089245
                            Function 6CF9AB4E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                            Download Yara Rule
                            Strings
                            • C:\Users\user\Desktop\qg155Ew08h.exe, xrefs: 6CF9AB6A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: C:\Users\user\Desktop\qg155Ew08h.exe
                            • API String ID: 0-1313919018
                            • Opcode ID: 18ffd01c9a2379ccb1457892cfc5113cf0a712a11c6dab8738d0cd98b94b2e6f
                            • Instruction ID: 60b81083dc60559f011def6f048057413c24464842858b5985f22289f96ace7e
                            • Opcode Fuzzy Hash: 18ffd01c9a2379ccb1457892cfc5113cf0a712a11c6dab8738d0cd98b94b2e6f
                            • Instruction Fuzzy Hash: FD218E31A04215AFAF119E7A884099B77F9FF4276C7054A19E9198BA40E730E8548B60
                            Function 6CF98B5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8E09C9F2,00000000,?,00000000,6CFA1462,000000FF,?,6CF98AF8,?,?,6CF98ACC,?), ref: 6CF98B93
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF98BA5
                            • FreeLibrary.KERNEL32(00000000,?,00000000,6CFA1462,000000FF,?,6CF98AF8,?,?,6CF98ACC,?), ref: 6CF98BC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 06110399cfacec455ef28c597ae7909897660784b4be0b3a4d3d5d7c4f705c3d
                            • Instruction ID: fa7d9088f059aa78bbc852d0e66556ea9971083d71fee061570c22de3207b983
                            • Opcode Fuzzy Hash: 06110399cfacec455ef28c597ae7909897660784b4be0b3a4d3d5d7c4f705c3d
                            • Instruction Fuzzy Hash: 42018671A24519EFDF428F95CC09FAEFBB9FB05714F048526FC22A2A90DB76D904CA50
                            Function 6CF9D5D5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                            Download Yara Rule
                            APIs
                            • __alloca_probe_16.LIBCMT ref: 6CF9D65A
                            • __alloca_probe_16.LIBCMT ref: 6CF9D723
                            • __freea.LIBCMT ref: 6CF9D78A
                              • Part of subcall function 6CF9C77A: HeapAlloc.KERNEL32(00000000,6CF9B0C7,6CF9C494,?,6CF9B0C7,00000220,?,?,6CF9C494), ref: 6CF9C7AC
                            • __freea.LIBCMT ref: 6CF9D79D
                            • __freea.LIBCMT ref: 6CF9D7AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16$AllocHeap
                            • String ID:
                            • API String ID: 1096550386-0
                            • Opcode ID: a8517753b9b4c35971554d292e51451b88d04fb67fe0548b71ab50fa0e9f886d
                            • Instruction ID: 637ba8f720ba37b4c7ade7497acf86c8502c43ee80504d1d8c9c9d942a0054fb
                            • Opcode Fuzzy Hash: a8517753b9b4c35971554d292e51451b88d04fb67fe0548b71ab50fa0e9f886d
                            • Instruction Fuzzy Hash: BA51AF76601206AFFF259EA5CC80EAB3BB9EF84318B310529FD14D7A10EB34D8548761
                            Function 6CF975D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF97583,00000000,?,00000001,?,?,?,6CF97672,00000001,FlsFree,6CFA33B0,FlsFree), ref: 6CF975DF
                            • GetLastError.KERNEL32(?,6CF97583,00000000,?,00000001,?,?,?,6CF97672,00000001,FlsFree,6CFA33B0,FlsFree,00000000,?,6CF970D3), ref: 6CF975E9
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF97611
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID: api-ms-
                            • API String ID: 3177248105-2084034818
                            • Opcode ID: e0a3ee4a76b857e18cbd55cc77199718d61298ae2a00454e63bb5b2952fbf588
                            • Instruction ID: 3c383023ff1340c92a8fde1d0c8568ba56228b4e5e3a8fa03df1a2de7a74c03e
                            • Opcode Fuzzy Hash: e0a3ee4a76b857e18cbd55cc77199718d61298ae2a00454e63bb5b2952fbf588
                            • Instruction Fuzzy Hash: 8DE01A30744305FAFF601AA3EC0DB4D7A76AB02B48F208421F90EA8891EB62E5108999
                            Function 6CF9DCE2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleOutputCP.KERNEL32(8E09C9F2,00000000,00000000,?), ref: 6CF9DD45
                              • Part of subcall function 6CF9B71C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF9D780,?,00000000,-00000008), ref: 6CF9B77D
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF9DF97
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF9DFDD
                            • GetLastError.KERNEL32 ref: 6CF9E080
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                            • String ID:
                            • API String ID: 2112829910-0
                            • Opcode ID: 1936b58616147b9f16abe875b60b37af546374008611d6813b65c52e8dcea78c
                            • Instruction ID: ac4005e9b546a74add211c7eccc2cc88d015a7264fb53efbb437c2e42e76025e
                            • Opcode Fuzzy Hash: 1936b58616147b9f16abe875b60b37af546374008611d6813b65c52e8dcea78c
                            • Instruction Fuzzy Hash: 3DD17975E012489FEF04CFE8D880AEDBBB5FF09304F28412AE965AB751D731A906CB50
                            Function 6CF97753 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustPointer
                            • String ID:
                            • API String ID: 1740715915-0
                            • Opcode ID: 6a34deb506417bf9e3cf191b49a918408f25530d1ef1626fddcbd8dcc06e131f
                            • Instruction ID: 807db1dcbbb0d227cbbcccb08f30062465a67ef8668e8d1669628edea42b378a
                            • Opcode Fuzzy Hash: 6a34deb506417bf9e3cf191b49a918408f25530d1ef1626fddcbd8dcc06e131f
                            • Instruction Fuzzy Hash: 0451B272A05302EFFF198F55D840BAAB7A4EF44718F34452FE82597AA0E731E844CB91
                            Function 6CF9A368 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6CF9B71C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF9D780,?,00000000,-00000008), ref: 6CF9B77D
                            • GetLastError.KERNEL32 ref: 6CF9A3CC
                            • __dosmaperr.LIBCMT ref: 6CF9A3D3
                            • GetLastError.KERNEL32(?,?,?,?), ref: 6CF9A40D
                            • __dosmaperr.LIBCMT ref: 6CF9A414
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                            • String ID:
                            • API String ID: 1913693674-0
                            • Opcode ID: 6d46af583f9f7db5878cbe636f8b432a084c88a1892dae9911ca1c992dfb1914
                            • Instruction ID: bf92d183620f08f86a527e342d14663c380d1f645e51a221d8a391472a5c6264
                            • Opcode Fuzzy Hash: 6d46af583f9f7db5878cbe636f8b432a084c88a1892dae9911ca1c992dfb1914
                            • Instruction Fuzzy Hash: A321B031E04215AFFF108FAB888495BB7F9FF453687158628EC1987A10E732EC54CB90
                            Function 6CF9B7BF Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 6CF9B7C7
                              • Part of subcall function 6CF9B71C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF9D780,?,00000000,-00000008), ref: 6CF9B77D
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF9B7FF
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF9B81F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                            • String ID:
                            • API String ID: 158306478-0
                            • Opcode ID: c307c4356e50c511ddbb4cead76496f34554df4545f4dce4d276f7316b246dc0
                            • Instruction ID: f84c45fa90d818af59f60618ad06d0c631e0b639b418c92ef19faed193356946
                            • Opcode Fuzzy Hash: c307c4356e50c511ddbb4cead76496f34554df4545f4dce4d276f7316b246dc0
                            • Instruction Fuzzy Hash: 90112BB2E19215BFBF2117B65CCCCAF7A6CCF4A2987110925F501D1A00EB75CD068571
                            Function 6CF9F656 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF9EE16,00000000,00000001,00000000,?,?,6CF9E0D4,?,00000000,00000000), ref: 6CF9F66D
                            • GetLastError.KERNEL32(?,6CF9EE16,00000000,00000001,00000000,?,?,6CF9E0D4,?,00000000,00000000,?,?,?,6CF9E677,00000000), ref: 6CF9F679
                              • Part of subcall function 6CF9F63F: CloseHandle.KERNEL32(FFFFFFFE,6CF9F689,?,6CF9EE16,00000000,00000001,00000000,?,?,6CF9E0D4,?,00000000,00000000,?,?), ref: 6CF9F64F
                            • ___initconout.LIBCMT ref: 6CF9F689
                              • Part of subcall function 6CF9F601: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF9F630,6CF9EE03,?,?,6CF9E0D4,?,00000000,00000000,?), ref: 6CF9F614
                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF9EE16,00000000,00000001,00000000,?,?,6CF9E0D4,?,00000000,00000000,?), ref: 6CF9F69E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 78c5b8fda49a6d0887cebf668c26465ed7d07ddfb5b39c9e5a378516963c721c
                            • Instruction ID: c77d57e43ec1138165ff86421117294f24a874982fa97e19dc2e7ccc710117a8
                            • Opcode Fuzzy Hash: 78c5b8fda49a6d0887cebf668c26465ed7d07ddfb5b39c9e5a378516963c721c
                            • Instruction Fuzzy Hash: C2F0AC36A55224BBDFD21FD6DC08A8D7F76FB0A3A5B154110FA1D96520CA33C820DB95
                            Function 6CF97D4F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • EncodePointer.KERNEL32(00000000,?), ref: 6CF97D74
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1661154336.000000006CF81000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF80000, based on PE: true
                            • Associated: 00000000.00000002.1661117584.000000006CF80000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661418137.000000006CFA2000.00000002.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661491659.000000006CFEA000.00000004.00000001.01000000.00000007.sdmpDownload File
                            • Associated: 00000000.00000002.1661708764.000000006CFF5000.00000002.00000001.01000000.00000007.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6cf80000_qg155Ew08h.jbxd
                            Yara matches
                            Similarity
                            • API ID: EncodePointer
                            • String ID: MOC$RCC
                            • API String ID: 2118026453-2084237596
                            • Opcode ID: 1b4dec60af6788b2d1ec96afea333e8f19dd6e53c51c493419e98ceaec3ded52
                            • Instruction ID: 4df17431805573b4ef3ac392b28fa0638f2075f55ba49eaa6d03e0f9ed6adfd8
                            • Opcode Fuzzy Hash: 1b4dec60af6788b2d1ec96afea333e8f19dd6e53c51c493419e98ceaec3ded52
                            • Instruction Fuzzy Hash: 6A414A71A00209EFEF06DF94CC81AEEBBB5FF48308F25815AF914A7660D3359951DB91

                            Execution Graph

                            Execution Coverage:6.9%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:90
                            Total number of Limit Nodes:5
                            execution_graph 15219 ec4668 15220 ec4684 15219->15220 15221 ec4696 15220->15221 15225 ec47ab 15220->15225 15230 ec3e10 15221->15230 15226 ec47c5 15225->15226 15234 ec48a7 15226->15234 15238 ec48b0 15226->15238 15231 ec3e1b 15230->15231 15246 ec5c54 15231->15246 15233 ec46b5 15236 ec48d7 15234->15236 15235 ec49b4 15235->15235 15236->15235 15242 ec4248 15236->15242 15240 ec48d7 15238->15240 15239 ec49b4 15239->15239 15240->15239 15241 ec4248 CreateActCtxA 15240->15241 15241->15239 15243 ec5940 CreateActCtxA 15242->15243 15245 ec5a03 15243->15245 15247 ec5c5f 15246->15247 15250 ec5c64 15247->15250 15249 ec709d 15249->15233 15251 ec5c6f 15250->15251 15254 ec5c94 15251->15254 15253 ec717a 15253->15249 15255 ec5c9f 15254->15255 15258 ec5cc4 15255->15258 15257 ec726d 15257->15253 15259 ec5ccf 15258->15259 15261 ec8653 15259->15261 15264 ecad0b 15259->15264 15260 ec8691 15260->15257 15261->15260 15268 eccdeb 15261->15268 15273 ecad38 15264->15273 15277 ecad33 15264->15277 15265 ecad16 15265->15261 15269 ecce11 15268->15269 15270 ecce35 15269->15270 15304 eccfa0 15269->15304 15308 eccf90 15269->15308 15270->15260 15282 ecae2b 15273->15282 15287 ecae30 15273->15287 15274 ecad47 15274->15265 15278 ecad38 15277->15278 15280 ecae2b LoadLibraryExW 15278->15280 15281 ecae30 LoadLibraryExW 15278->15281 15279 ecad47 15279->15265 15280->15279 15281->15279 15283 ecae41 15282->15283 15284 ecae5c 15282->15284 15283->15284 15292 ecb0c8 15283->15292 15296 ecb0bb 15283->15296 15284->15274 15288 ecae41 15287->15288 15289 ecae5c 15287->15289 15288->15289 15290 ecb0c8 LoadLibraryExW 15288->15290 15291 ecb0bb LoadLibraryExW 15288->15291 15289->15274 15290->15289 15291->15289 15293 ecb0dc 15292->15293 15294 ecb101 15293->15294 15300 eca870 15293->15300 15294->15284 15297 ecb0dc 15296->15297 15298 ecb101 15297->15298 15299 eca870 LoadLibraryExW 15297->15299 15298->15284 15299->15298 15301 ecb2a8 LoadLibraryExW 15300->15301 15303 ecb321 15301->15303 15303->15294 15305 eccfad 15304->15305 15306 eccfe7 15305->15306 15312 ecc8d8 15305->15312 15306->15270 15310 eccfa0 15308->15310 15309 eccfe7 15309->15270 15310->15309 15311 ecc8d8 LoadLibraryExW 15310->15311 15311->15309 15313 ecc8e3 15312->15313 15315 ecd8f8 15313->15315 15316 ecca04 15313->15316 15315->15315 15317 ecca0f 15316->15317 15318 ec5cc4 LoadLibraryExW 15317->15318 15319 ecd967 15318->15319 15319->15315 15320 ecd0b8 15321 ecd0fe GetCurrentProcess 15320->15321 15323 ecd149 15321->15323 15324 ecd150 GetCurrentThread 15321->15324 15323->15324 15325 ecd18d GetCurrentProcess 15324->15325 15326 ecd186 15324->15326 15327 ecd1c3 15325->15327 15326->15325 15328 ecd1eb GetCurrentThreadId 15327->15328 15329 ecd21c 15328->15329 15330 ecb020 15331 ecb068 GetModuleHandleW 15330->15331 15332 ecb062 15330->15332 15333 ecb095 15331->15333 15332->15331 15334 ecd300 DuplicateHandle 15335 ecd396 15334->15335

                            Executed Functions

                            Function 00ECD0A8 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 ecd0a8-ecd147 GetCurrentProcess 298 ecd149-ecd14f 294->298 299 ecd150-ecd184 GetCurrentThread 294->299 298->299 300 ecd18d-ecd1c1 GetCurrentProcess 299->300 301 ecd186-ecd18c 299->301 303 ecd1ca-ecd1e5 call ecd289 300->303 304 ecd1c3-ecd1c9 300->304 301->300 306 ecd1eb-ecd21a GetCurrentThreadId 303->306 304->303 308 ecd21c-ecd222 306->308 309 ecd223-ecd285 306->309 308->309
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00ECD136
                            • GetCurrentThread.KERNEL32 ref: 00ECD173
                            • GetCurrentProcess.KERNEL32 ref: 00ECD1B0
                            • GetCurrentThreadId.KERNEL32 ref: 00ECD209
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 61150cb1963d8fd022289c3facae6193daea4653737dfbfb0b6ed0d0d51a0a6f
                            • Instruction ID: 9ae56b89188be0108d5ffc953f769505a821360ad51a0e8bce473fba58274d58
                            • Opcode Fuzzy Hash: 61150cb1963d8fd022289c3facae6193daea4653737dfbfb0b6ed0d0d51a0a6f
                            • Instruction Fuzzy Hash: D05178B09012498FDB14CFA9DA48B9EBBF1EF88304F24856DE059A7360DB359984CF65
                            Function 00ECD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 316 ecd0b8-ecd147 GetCurrentProcess 320 ecd149-ecd14f 316->320 321 ecd150-ecd184 GetCurrentThread 316->321 320->321 322 ecd18d-ecd1c1 GetCurrentProcess 321->322 323 ecd186-ecd18c 321->323 325 ecd1ca-ecd1e5 call ecd289 322->325 326 ecd1c3-ecd1c9 322->326 323->322 328 ecd1eb-ecd21a GetCurrentThreadId 325->328 326->325 330 ecd21c-ecd222 328->330 331 ecd223-ecd285 328->331 330->331
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00ECD136
                            • GetCurrentThread.KERNEL32 ref: 00ECD173
                            • GetCurrentProcess.KERNEL32 ref: 00ECD1B0
                            • GetCurrentThreadId.KERNEL32 ref: 00ECD209
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 3749f6937f95030189422752fcce762be4532953b108f46886aafb8adbe7e2d3
                            • Instruction ID: ba99e8cc6e19736e216e40673d32d5ac9f408746a7a13705b5ef4d6fcc1f1208
                            • Opcode Fuzzy Hash: 3749f6937f95030189422752fcce762be4532953b108f46886aafb8adbe7e2d3
                            • Instruction Fuzzy Hash: C15178B0901209CFDB14DFA9DA48B9EBBF1EF88314F248569E019B7360CB359984CF65
                            Function 00EC4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 444 ec4248-ec5a01 CreateActCtxA 447 ec5a0a-ec5a64 444->447 448 ec5a03-ec5a09 444->448 455 ec5a66-ec5a69 447->455 456 ec5a73-ec5a77 447->456 448->447 455->456 457 ec5a88 456->457 458 ec5a79-ec5a85 456->458 460 ec5a89 457->460 458->457 460->460
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00EC59F1
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 8a33b9d19c20a8b079a57d0345d3d7e229eb538d7b673e8a039e35920cdaff70
                            • Instruction ID: 9a83d81899fd4cb361e9bb2f8dc4d2a357ccbc911363c2a1c1b3a90ba74d508b
                            • Opcode Fuzzy Hash: 8a33b9d19c20a8b079a57d0345d3d7e229eb538d7b673e8a039e35920cdaff70
                            • Instruction Fuzzy Hash: 9641D2B1C00719CADB24CFAAC944B9EBBB5FF49304F24816AD408BB255DB756986CF90
                            Function 00EC593B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 461 ec593b-ec593e 462 ec5940-ec5a01 CreateActCtxA 461->462 464 ec5a0a-ec5a64 462->464 465 ec5a03-ec5a09 462->465 472 ec5a66-ec5a69 464->472 473 ec5a73-ec5a77 464->473 465->464 472->473 474 ec5a88 473->474 475 ec5a79-ec5a85 473->475 477 ec5a89 474->477 475->474 477->477
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00EC59F1
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 9ed9e46dd0aba3c127eba856b48c640d119053545abf8b78647985a996665df1
                            • Instruction ID: c819114131d06f17f38cedc31a5ebedddf61991fefd2c956526345bc780e1f9d
                            • Opcode Fuzzy Hash: 9ed9e46dd0aba3c127eba856b48c640d119053545abf8b78647985a996665df1
                            • Instruction Fuzzy Hash: E941D4B1C00719CEDB14CFA9C984B8DBBB5FF45304F24816AD408BB255DB756986CF90
                            Function 00ECD2F9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 478 ecd2f9-ecd394 DuplicateHandle 479 ecd39d-ecd3ba 478->479 480 ecd396-ecd39c 478->480 480->479
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECD387
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: fae7b9eeb0b22d108fcf8844debbc34799d1e511a89286432e5f54cad2485908
                            • Instruction ID: 0121b1ac0b2d372006b2c90e70e89cdb51f72239c5627ccfbf7ff4ab4264353e
                            • Opcode Fuzzy Hash: fae7b9eeb0b22d108fcf8844debbc34799d1e511a89286432e5f54cad2485908
                            • Instruction Fuzzy Hash: 5C21E3B5900259DFDB10CFAAD984ADEFFF4EB48314F14842AE958A7350C375A950CFA1
                            Function 00ECD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 483 ecd300-ecd394 DuplicateHandle 484 ecd39d-ecd3ba 483->484 485 ecd396-ecd39c 483->485 485->484
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECD387
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 41dd63b9a99ccd33a6b28dd787188d4e5d9da3af4c283be6f3c8cec5d163dcab
                            • Instruction ID: b431b0f6a75500d6fa903670c2fe6d42f3467f1f649da9244e4091955a470106
                            • Opcode Fuzzy Hash: 41dd63b9a99ccd33a6b28dd787188d4e5d9da3af4c283be6f3c8cec5d163dcab
                            • Instruction Fuzzy Hash: 9D21E4B5900258DFDB10CF9AD984ADEFBF4FB48310F14802AE958A3310C375A950CFA5
                            Function 00ECA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 488 eca870-ecb2e8 490 ecb2ea-ecb2ed 488->490 491 ecb2f0-ecb31f LoadLibraryExW 488->491 490->491 492 ecb328-ecb345 491->492 493 ecb321-ecb327 491->493 493->492
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ECB101,00000800,00000000,00000000), ref: 00ECB312
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 3d4f10b3b491d249894aee7514386b7236ad098595813e64749bbc706454a872
                            • Instruction ID: 0d534858e46808012a62a7762c468cfca5b36f249e7b98e0d41c61d4300bb182
                            • Opcode Fuzzy Hash: 3d4f10b3b491d249894aee7514386b7236ad098595813e64749bbc706454a872
                            • Instruction Fuzzy Hash: FA1103B69002498FCB10CF9AC545BDEFBF4EB48310F10842EE859A7210C375A945CFA5
                            Function 00ECB2A3 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 496 ecb2a3-ecb2e8 497 ecb2ea-ecb2ed 496->497 498 ecb2f0-ecb31f LoadLibraryExW 496->498 497->498 499 ecb328-ecb345 498->499 500 ecb321-ecb327 498->500 500->499
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ECB101,00000800,00000000,00000000), ref: 00ECB312
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 8c96400197612f280677012e7e721cb28c9359036de42d4ced304981029c4bab
                            • Instruction ID: 8fdb521c29c60981c5f7b37619d239b6a86bf9a5ca4390f6f9a20db1cfa5c685
                            • Opcode Fuzzy Hash: 8c96400197612f280677012e7e721cb28c9359036de42d4ced304981029c4bab
                            • Instruction Fuzzy Hash: A51123B68002498FCB14CFAAC544BDEFBF4EF88320F14842ED859A7210C375A545CFA1
                            Function 00ECB01B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 503 ecb01b-ecb060 504 ecb068-ecb093 GetModuleHandleW 503->504 505 ecb062-ecb065 503->505 506 ecb09c-ecb0b0 504->506 507 ecb095-ecb09b 504->507 505->504 507->506
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB086
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: f2d7956e2addaeaa51161abf0fbcd35364baa2b68cfd9b05c2a8789c52d25d72
                            • Instruction ID: c5a0efb205e96c8112f38b668f95a18f47927e7b9978e20e35238074069583d1
                            • Opcode Fuzzy Hash: f2d7956e2addaeaa51161abf0fbcd35364baa2b68cfd9b05c2a8789c52d25d72
                            • Instruction Fuzzy Hash: 8A111FB1C00249CECB20CFAAD545BDEFBF4AF88314F14806AD468B7210C376A546CFA4
                            Function 00ECB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 509 ecb020-ecb060 510 ecb068-ecb093 GetModuleHandleW 509->510 511 ecb062-ecb065 509->511 512 ecb09c-ecb0b0 510->512 513 ecb095-ecb09b 510->513 511->510 513->512
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB086
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793850528.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_ec0000_MSBuild.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: dd40c08a8fe3844c0f711757f09f77960034243692981a54dfb21c89307fab8f
                            • Instruction ID: 63d4b6b58b7e89e394083f1abf2abfeb9425e742ce8df58cab563c9b3edf105f
                            • Opcode Fuzzy Hash: dd40c08a8fe3844c0f711757f09f77960034243692981a54dfb21c89307fab8f
                            • Instruction Fuzzy Hash: 8911CDB5C00349CBCB20DF9AC545B9EFBF4AB88324F14842AD869B7210C376A545CFA5
                            Function 00E4D774 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e649ec4f5f5268198331fbc755e92041fa2f78ac41c7fa373bdf9ba21f7e1604
                            • Instruction ID: 3e190e2f10bab1156629a0e4bacdcb68932cb7c4a141e72ce2c2aa1cd3d855c1
                            • Opcode Fuzzy Hash: e649ec4f5f5268198331fbc755e92041fa2f78ac41c7fa373bdf9ba21f7e1604
                            • Instruction Fuzzy Hash: FA210672508244EFCB09DF14EDC4B26BFA5FB9C318F24C669E9095A255C336D816CBA1
                            Function 00E4D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1de64a82635c7e57bb5cba68d1dd7d5d7fe251ea1744a7fa1f1db2876893eca
                            • Instruction ID: c9d9ffe82fcf539ddf3c9128897231dbb69887c24c758fb6f86c82b00006527b
                            • Opcode Fuzzy Hash: b1de64a82635c7e57bb5cba68d1dd7d5d7fe251ea1744a7fa1f1db2876893eca
                            • Instruction Fuzzy Hash: B5213771608240DFCB05DF14EDC0B2BBF65FB98318F20C569E9095B256C73AD856CBA1
                            Function 00E4D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7c26e8ef9b3735da09d67677ce05fde2f594e909b9e1df1c44e29235419c433
                            • Instruction ID: 43a39be695b149be521690b8fd3cda8544313d016060ee36706493a249d420af
                            • Opcode Fuzzy Hash: c7c26e8ef9b3735da09d67677ce05fde2f594e909b9e1df1c44e29235419c433
                            • Instruction Fuzzy Hash: 18213771508204DFDB05DF14EDC0B2ABF65FB98328F20C16DE9095B256C33AE856CBA2
                            Function 00E5D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793588571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e5d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 17774148c8661480007b651078b19755ac2d45b6599e01ebf0159a3fcacf228a
                            • Instruction ID: 6801959b5c9e5e214d6c08a70cd415fad79e93e3d9398aba9c53c56a55e1fcc8
                            • Opcode Fuzzy Hash: 17774148c8661480007b651078b19755ac2d45b6599e01ebf0159a3fcacf228a
                            • Instruction Fuzzy Hash: 9921F271608200DFDB24DF14D9C4B26BBA6EB84319F20C969DD0A5B296C33AD84BCA61
                            Function 00E5D005 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793588571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e5d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b61b4f99e3d5c0177326a2df22963314285fc89f441f2aeddc4ff6ddba8a7d2
                            • Instruction ID: b5db99ddb42f08a9b2a314dae233ac8a889895a0425165a5c5558fa7e8d21fda
                            • Opcode Fuzzy Hash: 9b61b4f99e3d5c0177326a2df22963314285fc89f441f2aeddc4ff6ddba8a7d2
                            • Instruction Fuzzy Hash: 9021537550D3808FDB12CF24D994715BF71EB46318F28C5EAD8498F6A7C33A980ACB62
                            Function 00E4D76F Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction ID: 995074c2fe895847dd306fa66b2a6ea707891b5604b503177d14a92f66f67e42
                            • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction Fuzzy Hash: 3621A276504284DFCB16CF14E9C4B26BF72FB98318F24C6A9DD491B256C33AD816CB91
                            Function 00E4D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: db68138040e8059d9082ce373cd06fbd1cba7f70a7f524e3b6ec4883ba41c0c0
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: 2A112676404240CFCB12CF10D9C4B16BF71FB94328F24C2A9DC090B656C33AE85ACBA1
                            Function 00E4D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: f3ffcce361ddf4d41ee9afa77f695bb19c81addc52d80eab3b783c115fca39d2
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: FC11E676504280CFCB16CF14E9C4B16BF71FB94328F24C6A9DC494B656C33AD85ACBA1
                            Function 00E4DA59 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4b607bec39263d216f5d0f9a23dd1205761707f7916372a53e796695729aa701
                            • Instruction ID: 8697d4806766331bce6fdd24a37d2ad384278f9a6e04fa4b69f1e50197a1f927
                            • Opcode Fuzzy Hash: 4b607bec39263d216f5d0f9a23dd1205761707f7916372a53e796695729aa701
                            • Instruction Fuzzy Hash: 5C012B7100C3009AE7108A65ED84767FF98EF41374F18C96AED091A286C279DC40D671
                            Function 00E4DA58 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1793532776.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_e4d000_MSBuild.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5662b9304892b85eb07879d01b9f0c3dda3a031ab3d89ca2e1638fd77b95cdb7
                            • Instruction ID: 92dd846d6f6041e873a35adbec02fbcad58b5c6ecfd46c2e40daef20a82abddb
                            • Opcode Fuzzy Hash: 5662b9304892b85eb07879d01b9f0c3dda3a031ab3d89ca2e1638fd77b95cdb7
                            • Instruction Fuzzy Hash: 0FF0C2710083409AE7208A16DC84B62FFA8EF51778F18C55AED081E286C2799841CAB0