Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546038
MD5:500904922500a6b286ebc7b6aa791e24
SHA1:b09695e46e35a433dc00c41508b6ff47745247a7
SHA256:8e08e9ad4ee4438acbb60b2922cf4578f93df6f4adcd01e1e8942a36bd5dc4d8
Tags:exeuser-Bitsight
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Meduza Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 500904922500A6B286EBC7B6AA791E24)
    • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 6324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.6cf1b000.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.file.exe.6cf1b000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.file.exe.6cf1b000.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.file.exe.6cf1b000.4.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                      • 0x45c1b:$s1: file:///
                      • 0x45b53:$s2: {11111-22222-10009-11112}
                      • 0x45bab:$s3: {11111-22222-50001-00000}
                      • 0x423fa:$s4: get_Module
                      • 0x42864:$s5: Reverse
                      • 0x45226:$s6: BlockCopy
                      • 0x42c23:$s7: ReadByte
                      • 0x45c2d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                      2.2.MSBuild.exe.b00000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        Click to see the 11 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-31T12:06:59.992193+010020460561A Network Trojan was detected4.251.123.836677192.168.2.449730TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-31T12:06:59.338810+010020460451A Network Trojan was detected192.168.2.4497304.251.123.836677TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Found malware configuration
                        Source: MSBuild.exe.6324.2.memstrminMalware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 4.251.123.83:6677
                        Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.4:49730
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 4.251.123.83:6677
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 4.251.123.83:6677
                        Source: Joe Sandbox ViewASN Name: LEVEL3US LEVEL3US
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000003060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^qqC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000003060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^qqC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb(; equals www.youtube.com (Youtube)
                        Source: MSBuild.exe, 00000002.00000002.1770776237.0000000006104000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: MSBuild.exe, 00000002.00000002.1770776237.0000000006104000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb: equals www.youtube.com (Youtube)
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3ResponseD
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                        .NET source code contains very large array initializations
                        Source: file.exe, -Module-.csLarge array initialization: _202D_206D_206E_202B_206D_206C_200F_206D_206E_200E_200B_206A_200D_206E_202C_200B_202D_202D_206A_202A_202C_206A_200C_206B_200E_206B_200D_202B_206E_206B_202D_200F_200E_206F_206B_206A_206D_206B_206F_202D_202E: array initializer size 54080
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF03950 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,0_2_6CF03950
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF03250 GetModuleHandleW,NtQueryInformationProcess,0_2_6CF03250
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF039500_2_6CF03950
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF032500_2_6CF03250
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF012100_2_6CF01210
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF135950_2_6CF13595
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF026900_2_6CF02690
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF07A400_2_6CF07A40
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF037500_2_6CF03750
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027014640_2_02701464
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0270245C0_2_0270245C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027058E10_2_027058E1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02705C980_2_02705C98
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027059080_2_02705908
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02703B8D0_2_02703B8D
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027038300_2_02703830
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027038200_2_02703820
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027058F90_2_027058F9
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027008AC0_2_027008AC
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027041670_2_02704167
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02704B480_2_02704B48
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02702D000_2_02702D00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00DD76602_2_00DD7660
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00DD08782_2_00DD0878
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00DD08692_2_00DD0869
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00DD76522_2_00DD7652
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_00DD76602_2_00DD7660
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EE3FF12_2_06EE3FF1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EE1BD82_2_06EE1BD8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EE38902_2_06EE3890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF87702_2_06EF8770
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF95682_2_06EF9568
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF3E502_2_06EF3E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EFAF302_2_06EFAF30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF6A202_2_06EF6A20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF48B02_2_06EF48B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF56002_2_06EF5600
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF95582_2_06EF9558
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EFAF202_2_06EFAF20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EFED232_2_06EFED23
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EFED302_2_06EFED30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF6A102_2_06EF6A10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF48A32_2_06EF48A3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FB34E02_2_06FB34E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FB55682_2_06FB5568
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FB00402_2_06FB0040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FBE1D82_2_06FBE1D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FBC4F82_2_06FBC4F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FBD0602_2_06FBD060
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FBB0372_2_06FBB037
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD9DD02_2_06FD9DD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FDDAE82_2_06FDDAE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD72A82_2_06FD72A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD1A182_2_06FD1A18
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FDB3F82_2_06FDB3F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD6BA02_2_06FD6BA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD30D82_2_06FD30D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FDDAD82_2_06FDDAD8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD80C82_2_06FD80C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FDB9202_2_06FDB920
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FDB9102_2_06FDB910
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FFD7082_2_06FFD708
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF6A882_2_06FF6A88
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF1E582_2_06FF1E58
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF1E482_2_06FF1E48
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF4CF02_2_06FF4CF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF12602_2_06FF1260
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF12502_2_06FF1250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF52182_2_06FF5218
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF52092_2_06FF5209
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FF9BD02_2_06FF9BD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C57E82_2_073C57E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C24082_2_073C2408
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C73182_2_073C7318
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073CA3602_2_073CA360
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073CD2D82_2_073CD2D8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C81002_2_073C8100
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C0E602_2_073C0E60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C2ED02_2_073C2ED0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073CAC182_2_073CAC18
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073CD9282_2_073CD928
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C49F82_2_073C49F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C730B2_2_073C730B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C80F02_2_073C80F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C49EB2_2_073C49EB
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 6CF08AF0 appears 33 times
                        Source: file.exe, 00000000.00000002.1678394243.0000000000A0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                        Source: file.exe, 00000000.00000000.1659709452.0000000000392000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameChloeJackUlysses.YHH vs file.exe
                        Source: file.exe, 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameGristles.exe" vs file.exe
                        Source: file.exeBinary or memory string: OriginalFilenameChloeJackUlysses.YHH vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, Class4.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, Class4.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.file.exe.6cf1b000.4.raw.unpack, Class4.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        .NET source code contains potential unpacker
                        Source: file.exe, -Module-.cs.Net Code: _202E_202C_206D_202C_200F_202D_206D_206E_206E_200D_206C_202C_200E_206E_202B_202E_206E_202B_206D_202E_206A_202A_206F_202D_200D_202C_200E_206B_206A_202A_206F_202A_200F_206A_200C_200F_202B_206E_202C_202A_202E System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF13CC4 push ecx; ret 0_2_6CF13CD7
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02704FF6 push 35C238BBh; iretd 0_2_02705002
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02703F9D push esp; retf 0_2_02703F9E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EEFC7A pushfd ; ret 2_2_06EEFC81
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EE6D31 push es; ret 2_2_06EE6D40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF5458 pushad ; iretd 2_2_06EF5465
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06EF1E6F push eax; iretd 2_2_06EF1E89
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FBF9B6 push es; iretd 2_2_06FBF9B4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FBF938 push es; iretd 2_2_06FBF9B4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FD0951 push es; ret 2_2_06FD0960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C04A0 push A4071891h; ret 2_2_073C0695
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C0618 push A4071891h; ret 2_2_073C0695
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C0600 push A4071891h; ret 2_2_073C0695
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_073C06CF push A4071891h; ret 2_2_073C0695
                        Source: file.exeStatic PE information: section name: .text entropy: 7.831361955004328
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 4D80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 5D80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 5EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 6EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 7200000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 8200000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 9200000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4A20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2077Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7653Jump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 6296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2872Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3168Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                        Source: MSBuild.exe, 00000002.00000002.1770776237.00000000060A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_06FDE740 LdrLoadDll,2_2_06FDE740
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF0897A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF0897A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF0E70B GetProcessHeap,0_2_6CF0E70B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF084A1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CF084A1
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF0897A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF0897A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF0C937 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CF0C937
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B00000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B00000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B00000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B02000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B4E000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BBA000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B02000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B4E000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BBA000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 95B008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF08B38 cpuid 0_2_6CF08B38
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6CF085C3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CF085C3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Meduza Stealer
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6324, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6324, type: MEMORYSTR
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp|Electrum
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCashE#
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mhonjhhcgphdphdjcdoeodfdliikapmj|Jaxx Liberty
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: idkppnahnmmggbmfkjhiakkbkdpnmnon|Exodus
                        Source: MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                        Source: MSBuild.exe, 00000002.00000002.1770776237.0000000006104000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*
                        Source: file.exeString found in binary or memory: set_UseMachineKeyStore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: Yara matchFile source: 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6324, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Meduza Stealer
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6324, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6324, type: MEMORYSTR
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.MSBuild.exe.b00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf00000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.6cf1b000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		311
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory341
                        Security Software Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin Shares1
                        Clipboard Data                        		1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                        Obfuscated Files or Information                        		Cached Domain Credentials124
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe100%AviraHEUR/AGEN.1311038
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                        https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/06/addressingex0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15100%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey0%URL Reputationsafe
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ0%URL Reputationsafe
                        http://www.w3.o0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT0%URL Reputationsafe
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.10%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                        http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2002/12/policy0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        4.251.123.83:6677true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabMSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://discord.com/api/v9/users/MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/example/Field1ResponseMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/example/Field1ResponseDMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ip.sb/ipMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/example/Field3ResponseDMSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/example/Field1MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/example/Field2MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/example/Field3MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trustMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/DMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wscoorMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.w3.oMSBuild.exe, 00000002.00000002.1757650129.0000000002D5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/example/Field3ResponseMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/CancelMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoMSBuild.exe, 00000002.00000002.1764728767.0000000003B81000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003A4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.1764728767.0000000003E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1MSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousMSBuild.exe, 00000002.00000002.1757650129.0000000002A21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2002/12/policyMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dkMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/IssueMSBuild.exe, 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  4.251.123.83
                                                  		unknownUnited States
                                                  		3356LEVEL3UStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1546038
                                                  Start date and time:2024-10-31 12:06:05 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 4m 10s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:3
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:file.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 106
                                                  • Number of non-executed functions: 26
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Stop behavior analysis, all processes terminated

                                                  Warnings

                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: file.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  07:07:00API Interceptor47x Sleep call for process: MSBuild.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  LEVEL3USfile.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 4.150.155.223
                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 4.152.133.8
                                                  W6Z9uSRsKQ.elfGet hashmaliciousUnknownBrowse
                                                  • 207.123.91.118
                                                  wZU2edEGL3.elfGet hashmaliciousUnknownBrowse
                                                  • 9.94.32.251
                                                  SuNMTBkfPo.elfGet hashmaliciousUnknownBrowse
                                                  • 9.136.107.129
                                                  8v2IShmMos.elfGet hashmaliciousUnknownBrowse
                                                  • 4.177.198.213
                                                  v6pwbOEUpl.elfGet hashmaliciousUnknownBrowse
                                                  • 9.3.34.7
                                                  j3Lr4Fk7Kb.elfGet hashmaliciousMiraiBrowse
                                                  • 9.97.128.7
                                                  belks.mips.elfGet hashmaliciousMiraiBrowse
                                                  • 9.196.2.177
                                                  belks.x86.elfGet hashmaliciousMiraiBrowse
                                                  • 8.232.159.211

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2543
                                                  Entropy (8bit):5.331950323785858
                                                  Encrypted:false
                                                  SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HDfHKdHKLBHK7HKmTHQmHKtXoDHsLHqH5J:Pq5qHwCYqh3oPtI6eqzxTqdqlq7qqjqI
                                                  MD5:D1C706335BBF6ECA4BECB0CACD9231EB
                                                  SHA1:AC27DA2AC6FEC7C7F24C9796CB7BCECD5EF8F382
                                                  SHA-256:45449CD3FC0C10386A37510D13C883FEF94883D11D757FDD0FFE4EDAF0DAAD75
                                                  SHA-512:D5A4D33B362C4EF19CD0E43F2F518258EE45A1A32DED992B851276DF3BC8A4559E7D1872B155E10DAF1FF6B38C65AF472AF429B8362EBBB12976B3454C1FE68B
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\file.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):42
                                                  Entropy (8bit):4.0050635535766075
                                                  Encrypted:false
                                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                  C:\Users\user\AppData\Roaming\gdi32.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\file.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):855040
                                                  Entropy (8bit):5.6181812603560655
                                                  Encrypted:false
                                                  SSDEEP:12288:UKRhdAJtGfliyDB6NcP/BzYhy7EVe6JVM926xir0l6G8tGxBFLs8HVTN3gLkW/Eb:UK5qk
                                                  MD5:44CB7F156344FBA97C4C9DD485276C8A
                                                  SHA1:B508628B9163E236D9EF1BA95868AE128ABB05CD
                                                  SHA-256:0F2BA82668B74F28DDB7B95233EE21FE32BFB1BD3ADB0C5B2F34D3001443ED3C
                                                  SHA-512:C79C538A0F6BC88017F3AAA5A551C8CE92B7E92786CCA5168BB5604F5B1AB9DE45B79681D06ADE2B10A7E002B7FE600FBE59991FA9B454999B5B207F88991F16
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>3.._]]._]]._]].'^\._]].'X\._]].'Y\._]].'\\._]]..&]._]]._\]._]]..X\._]]..Y\._]]..^\._]]._]]._]]..]\._]].._\._]]Rich._]]........................PE..L....9#g...........!...&.0..........~........@...............................@............@.............................X...X...P............................ ......................................P...@............@..X............................text..../.......0.................. ..`.rdata..Bb...@...d...4..............@..@.data...tk.......b..................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.8122854091440574
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:file.exe
                                                  File size:271'360 bytes
                                                  MD5:500904922500a6b286ebc7b6aa791e24
                                                  SHA1:b09695e46e35a433dc00c41508b6ff47745247a7
                                                  SHA256:8e08e9ad4ee4438acbb60b2922cf4578f93df6f4adcd01e1e8942a36bd5dc4d8
                                                  SHA512:baa756bc44306c37774115fe0bd14f1e9735d25def4042a9035c8903e153aee3e1be8fcde286632609e96923256f8d69b0424ee0c30ab4a95de494462fc0e3e6
                                                  SSDEEP:6144:QVZd5702Ameiqqv6Hrs3LI6VRPob7QEAI1AeOPvNb:+exmeiqrHrN6VuX5AeOPvNb
                                                  TLSH:9D44BF9CB65476CFC86BC971CEA82C64EA61B877430F9247A06716ED990CA97CF011F3
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9#g.............................7... ...@....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:90cececece8e8eb0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4437ae
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows cui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6723391E [Thu Oct 31 08:00:30 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4375c0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x6d8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x460000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x417b40x418003f0024870ed7d584f059c6cbddf13d62False0.8963725548664122data7.831361955004328IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x440000x6d80x800aaef290f02fed851a193f32434cc2dc0False0.38232421875data3.735234737511919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x460000xc0x2008658c1b1f347026cd1e3e838036b5a8cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0x440a00x448data0.4324817518248175
                                                  RT_MANIFEST0x444e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-10-31T12:06:59.338810+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.4497304.251.123.836677TCP
                                                  2024-10-31T12:06:59.992193+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)14.251.123.836677192.168.2.449730TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 31, 2024 12:06:58.312254906 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:58.317732096 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:58.317804098 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:58.332364082 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:58.337269068 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.306874037 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.338809967 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:59.343698978 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.696351051 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.736031055 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:59.740917921 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991625071 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991638899 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991650105 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991661072 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991672039 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991683960 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991694927 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991705894 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991717100 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991728067 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.991729975 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:59.991821051 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:59.991821051 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:59.992192984 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.992273092 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:06:59.992331028 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:06:59.996680975 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.037889004 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:00.110941887 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.110960007 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.110975027 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.111015081 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:00.111061096 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.111073017 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.111083031 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.111119986 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:00.111119986 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:00.111426115 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:00.162856102 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.304802895 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.309880018 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309897900 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309915066 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309925079 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309932947 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309957981 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309967041 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.309979916 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.310004950 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.310015917 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.310081005 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.310223103 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.310286999 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.314860106 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314870119 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314904928 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314918995 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314928055 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314937115 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314953089 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.314959049 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.314996958 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.315021992 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.315026045 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.315061092 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.315071106 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.315083027 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.315105915 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.315141916 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.315179110 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.315193892 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.315254927 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.319950104 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.319993019 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320012093 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320066929 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320075989 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320077896 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320116997 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320168972 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320194006 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320266008 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320295095 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320343018 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320358038 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320413113 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320424080 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320425987 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320435047 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320481062 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.320506096 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320518017 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320527077 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320549965 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320559978 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320614100 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320624113 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320637941 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320647001 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320699930 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320708990 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320717096 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320724964 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320734978 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320744038 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.320802927 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.324927092 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.324995041 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.325005054 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325088024 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.325131893 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325140953 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325324059 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325333118 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325366020 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.325429916 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.325453043 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325462103 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325478077 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325488091 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325519085 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.325550079 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325553894 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.325558901 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325575113 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325584888 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325620890 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325629950 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325655937 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325664997 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325701952 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325711012 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325752974 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325764894 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325786114 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325836897 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325875044 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325884104 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325915098 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.325923920 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326062918 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326071978 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326081991 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326128960 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326138020 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326169014 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326205015 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326214075 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326221943 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326236963 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326246023 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326318979 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326327085 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326334953 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326343060 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326359034 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326368093 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326375961 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326385021 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326447964 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326456070 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326463938 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326472044 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326483011 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326492071 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326500893 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.326535940 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326545000 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326608896 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326618910 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326656103 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.326692104 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326700926 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326708078 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326716900 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326733112 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326741934 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326750994 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326760054 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326797009 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326806068 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326832056 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326839924 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.326874971 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.329801083 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.329847097 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.329895020 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.329905033 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330135107 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330224991 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330233097 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330266953 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330388069 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330473900 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330524921 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330558062 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330612898 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330621004 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330630064 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330645084 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330684900 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330718040 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330728054 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330765009 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.330800056 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331058025 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.331196070 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.331463099 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331471920 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331480026 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331502914 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331511974 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331569910 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331578970 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331643105 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331650972 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331657887 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331667900 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331799030 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331808090 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331820965 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331830025 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331845999 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331854105 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331867933 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331938982 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331947088 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331955910 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331965923 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331979036 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.331995010 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332004070 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332012892 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332029104 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332037926 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332045078 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332082987 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332091093 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332098961 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332108974 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332169056 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332178116 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332185030 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332222939 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332231998 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332238913 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332273006 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332282066 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332288980 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332319975 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332329035 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332335949 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332350969 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332360983 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332370043 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332376957 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332389116 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332391977 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332396984 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.332463026 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.335966110 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.335982084 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336042881 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336050987 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336102009 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336111069 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336117983 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336133003 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336149931 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336159945 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336169004 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336198092 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336206913 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336215973 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336224079 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336240053 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336247921 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336256027 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336265087 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336293936 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336302996 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336309910 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336317062 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336332083 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336339951 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336349010 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336359024 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336420059 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336427927 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336436033 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336451054 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336460114 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336468935 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336488008 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.336505890 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336514950 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336524010 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336543083 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336551905 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336561918 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336572886 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336581945 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336595058 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.336607933 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336616993 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336654902 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336663008 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336672068 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336692095 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336699963 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336709023 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336736917 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336745977 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336783886 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.336792946 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341470003 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341478109 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341526031 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341535091 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341569901 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341578960 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341588974 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341604948 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341690063 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341698885 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341706038 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341715097 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341732025 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341741085 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341756105 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341763973 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341814995 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341824055 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341836929 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.341871977 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341881990 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341906071 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341914892 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341926098 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.341969967 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.341978073 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342010975 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342020988 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342027903 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342036009 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342058897 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342068911 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342102051 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342154980 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342164040 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342171907 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342189074 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342197895 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342231989 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342241049 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342281103 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342293978 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342348099 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342392921 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342442036 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342506886 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342515945 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342557907 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342566967 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342573881 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342591047 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342600107 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342653036 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342662096 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.342670918 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346827984 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346837044 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346890926 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346899986 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346908092 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346915960 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346925974 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346935987 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346952915 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346961021 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346988916 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.346997976 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347012997 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347022057 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347032070 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347040892 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347057104 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347064972 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347080946 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347090006 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347131014 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347141027 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347153902 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347162962 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347217083 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347229004 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347238064 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347248077 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347255945 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347273111 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347281933 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347290039 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347369909 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347379923 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347387075 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347394943 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347402096 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347402096 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.347409964 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347419024 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347435951 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347445011 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347455025 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347472906 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347482920 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347491980 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347503901 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347510099 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.347512960 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347523928 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347539902 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347548962 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347552061 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347569942 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.347578049 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352405071 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352413893 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352421999 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352431059 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352509022 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352519035 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352526903 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352535963 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352545023 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352554083 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352569103 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352576971 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352591991 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352601051 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352610111 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352618933 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352629900 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352638960 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352648020 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352657080 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352696896 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352705002 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352713108 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352721930 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352730989 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352740049 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352747917 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352763891 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352772951 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352790117 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352798939 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352813959 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352818012 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352864981 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.352876902 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352886915 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352894068 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352904081 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352919102 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352927923 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352936983 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352946997 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352956057 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352971077 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352987051 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.352989912 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.352997065 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.365987062 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.370781898 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.382971048 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.383111954 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.383112907 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.383218050 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.387897015 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.387908936 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.387936115 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.387945890 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.387994051 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388003111 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388070107 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388078928 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388093948 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388102055 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388117075 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388127089 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388164043 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388211012 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.388266087 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.412858963 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.417808056 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.418004990 CET497306677192.168.2.44.251.123.83
                                                  Oct 31, 2024 12:07:02.422846079 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:02.422925949 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:06.168561935 CET6677497304.251.123.83192.168.2.4
                                                  Oct 31, 2024 12:07:06.182425976 CET497306677192.168.2.44.251.123.83

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:06:55
                                                  Start date:31/10/2024
                                                  Path:C:\Users\user\Desktop\file.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                  Imagebase:0x390000
                                                  File size:271'360 bytes
                                                  MD5 hash:500904922500A6B286EBC7B6AA791E24
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:07:06:56
                                                  Start date:31/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:07:06:56
                                                  Start date:31/10/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  Imagebase:0x6a0000
                                                  File size:262'432 bytes
                                                  MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1757650129.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1756178312.0000000000B02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1757650129.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:13.2%
                                                    Dynamic/Decrypted Code Coverage:1.5%
                                                    Signature Coverage:4.3%
                                                    Total number of Nodes:1899
                                                    Total number of Limit Nodes:8
                                                    execution_graph 12077 6cf09470 12078 6cf0948e __InternalCxxFrameHandler 12077->12078 12089 6cf09430 12078->12089 12090 6cf09442 12089->12090 12091 6cf0944f 12089->12091 12092 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12090->12092 12092->12091 12006 6cf0d0f3 12007 6cf0d104 12006->12007 12008 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12007->12008 12009 6cf0d31c 12008->12009 12187 6cf0adf6 12193 6cf0ad98 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 12187->12193 12189 6cf0ae11 12190 6cf0bf19 CallUnexpected 39 API calls 12189->12190 12191 6cf0ae16 __FrameHandler3::FrameUnwindToState 12189->12191 12192 6cf0ae51 12190->12192 12193->12189 12194 6cf0ae38 12193->12194 12199 6cf09a0e 12194->12199 12196 6cf0ae3d 12197 6cf09a0e CallUnexpected 49 API calls 12196->12197 12198 6cf0ae48 12196->12198 12197->12198 12198->12189 12200 6cf09a1c CallUnexpected 23 API calls 12199->12200 12201 6cf09a13 12200->12201 12201->12196 12202 6cf0eb15 CallUnexpected 2 API calls 12201->12202 12203 6cf0bf1e 12202->12203 12204 6cf0bf29 12203->12204 12205 6cf0eb5a CallUnexpected 39 API calls 12203->12205 12206 6cf0bf33 IsProcessorFeaturePresent 12204->12206 12207 6cf0bf52 12204->12207 12205->12204 12209 6cf0bf3f 12206->12209 12208 6cf0b61e CallUnexpected 21 API calls 12207->12208 12210 6cf0bf5c 12208->12210 12211 6cf0c937 CallUnexpected 8 API calls 12209->12211 12211->12207 12093 6cf0f477 12096 6cf0f3fe 12093->12096 12097 6cf0f40a __FrameHandler3::FrameUnwindToState 12096->12097 12104 6cf0c863 EnterCriticalSection 12097->12104 12099 6cf0f414 12100 6cf0f442 12099->12100 12102 6cf0f7e8 ___scrt_uninitialize_crt 14 API calls 12099->12102 12105 6cf0f460 12100->12105 12102->12099 12104->12099 12108 6cf0c8ab LeaveCriticalSection 12105->12108 12107 6cf0f44e 12108->12107 13026 6cf08777 13027 6cf0877f ___scrt_release_startup_lock 13026->13027 13030 6cf0b1a5 13027->13030 13029 6cf087a7 13031 6cf0b1b4 13030->13031 13032 6cf0b1b8 13030->13032 13031->13029 13035 6cf0b1c5 13032->13035 13036 6cf0c688 __dosmaperr 14 API calls 13035->13036 13037 6cf0b1c1 13036->13037 13037->13029 12822 27058f9 12824 2705926 12822->12824 12823 2705aed 12824->12823 12825 270537c LoadLibraryW 12824->12825 12826 2705364 CloseHandle 12824->12826 12827 2706400 49 API calls 12824->12827 12828 27063f8 49 API calls 12824->12828 12825->12824 12826->12824 12827->12824 12828->12824 11573 6cf0847e 11574 6cf08487 11573->11574 11575 6cf0848c 11573->11575 11594 6cf08610 11574->11594 11579 6cf08348 11575->11579 11580 6cf08354 __FrameHandler3::FrameUnwindToState 11579->11580 11581 6cf0837d dllmain_raw 11580->11581 11582 6cf08378 11580->11582 11590 6cf08363 11580->11590 11583 6cf08397 dllmain_crt_dispatch 11581->11583 11581->11590 11598 6cf07a40 11582->11598 11583->11582 11583->11590 11586 6cf083e9 11587 6cf083f2 dllmain_crt_dispatch 11586->11587 11586->11590 11588 6cf08405 dllmain_raw 11587->11588 11587->11590 11588->11590 11589 6cf07a40 __DllMainCRTStartup@12 5 API calls 11591 6cf083d0 11589->11591 11602 6cf08298 11591->11602 11593 6cf083de dllmain_raw 11593->11586 11595 6cf08626 11594->11595 11597 6cf0862f 11595->11597 11781 6cf085c3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 11595->11781 11597->11575 11599 6cf07a6b 11598->11599 11600 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 11599->11600 11601 6cf080ec 11600->11601 11601->11586 11601->11589 11603 6cf082a4 __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 11602->11603 11604 6cf08340 11603->11604 11605 6cf082d5 11603->11605 11620 6cf082ad 11603->11620 11650 6cf0897a IsProcessorFeaturePresent 11604->11650 11629 6cf087ab 11605->11629 11608 6cf082da 11638 6cf08667 11608->11638 11610 6cf082df __RTC_Initialize __DllMainCRTStartup@12 11641 6cf0894c 11610->11641 11611 6cf08347 __FrameHandler3::FrameUnwindToState 11612 6cf0837d dllmain_raw 11611->11612 11613 6cf08378 11611->11613 11625 6cf08363 11611->11625 11614 6cf08397 dllmain_crt_dispatch 11612->11614 11612->11625 11617 6cf07a40 __DllMainCRTStartup@12 5 API calls 11613->11617 11614->11613 11614->11625 11619 6cf083b8 11617->11619 11621 6cf083e9 11619->11621 11624 6cf07a40 __DllMainCRTStartup@12 5 API calls 11619->11624 11620->11593 11622 6cf083f2 dllmain_crt_dispatch 11621->11622 11621->11625 11623 6cf08405 dllmain_raw 11622->11623 11622->11625 11623->11625 11626 6cf083d0 11624->11626 11625->11593 11627 6cf08298 __DllMainCRTStartup@12 81 API calls 11626->11627 11628 6cf083de dllmain_raw 11627->11628 11628->11621 11630 6cf087b0 ___scrt_release_startup_lock 11629->11630 11631 6cf087c0 __DllMainCRTStartup@12 11630->11631 11632 6cf087b4 11630->11632 11635 6cf087cd 11631->11635 11636 6cf0b45b CallUnexpected 21 API calls 11631->11636 11633 6cf0bc72 __DllMainCRTStartup@12 14 API calls 11632->11633 11634 6cf087be 11633->11634 11634->11608 11635->11608 11637 6cf0b61a 11636->11637 11637->11608 11654 6cf0960a InterlockedFlushSList 11638->11654 11642 6cf08958 11641->11642 11643 6cf082fe 11642->11643 11661 6cf0be1b 11642->11661 11647 6cf0833a 11643->11647 11645 6cf08966 11666 6cf0965f 11645->11666 11764 6cf087ce 11647->11764 11651 6cf08990 CallUnexpected 11650->11651 11652 6cf08a3b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11651->11652 11653 6cf08a7f CallUnexpected 11652->11653 11653->11611 11656 6cf0961a 11654->11656 11657 6cf08671 11654->11657 11656->11657 11658 6cf0be99 11656->11658 11657->11610 11659 6cf0cc84 __freea 14 API calls 11658->11659 11660 6cf0beb1 11659->11660 11660->11656 11662 6cf0be26 11661->11662 11664 6cf0be38 ___scrt_uninitialize_crt 11661->11664 11663 6cf0be34 11662->11663 11672 6cf0f055 11662->11672 11663->11645 11664->11645 11667 6cf09672 11666->11667 11668 6cf09668 11666->11668 11667->11643 11739 6cf09ae1 11668->11739 11675 6cf0eee6 11672->11675 11678 6cf0ee3a 11675->11678 11679 6cf0ee46 __FrameHandler3::FrameUnwindToState 11678->11679 11686 6cf0c863 EnterCriticalSection 11679->11686 11681 6cf0ee50 ___scrt_uninitialize_crt 11682 6cf0eebc 11681->11682 11687 6cf0edae 11681->11687 11695 6cf0eeda 11682->11695 11686->11681 11688 6cf0edba __FrameHandler3::FrameUnwindToState 11687->11688 11698 6cf0f172 EnterCriticalSection 11688->11698 11690 6cf0edfd 11710 6cf0ee2e 11690->11710 11691 6cf0edc4 ___scrt_uninitialize_crt 11691->11690 11699 6cf0eff0 11691->11699 11738 6cf0c8ab LeaveCriticalSection 11695->11738 11697 6cf0eec8 11697->11663 11698->11691 11700 6cf0f005 ___std_exception_copy 11699->11700 11701 6cf0f017 11700->11701 11702 6cf0f00c 11700->11702 11713 6cf0ef87 11701->11713 11703 6cf0eee6 ___scrt_uninitialize_crt 68 API calls 11702->11703 11706 6cf0f012 ___std_exception_copy 11703->11706 11706->11690 11708 6cf0f038 11726 6cf10688 11708->11726 11737 6cf0f186 LeaveCriticalSection 11710->11737 11712 6cf0ee1c 11712->11681 11714 6cf0efa0 11713->11714 11718 6cf0efc7 11713->11718 11715 6cf0f3d7 ___scrt_uninitialize_crt 29 API calls 11714->11715 11714->11718 11716 6cf0efbc 11715->11716 11717 6cf10ea7 ___scrt_uninitialize_crt 64 API calls 11716->11717 11717->11718 11718->11706 11719 6cf0f3d7 11718->11719 11720 6cf0f3e3 11719->11720 11721 6cf0f3f8 11719->11721 11722 6cf0cc14 __dosmaperr 14 API calls 11720->11722 11721->11708 11723 6cf0f3e8 11722->11723 11724 6cf0cb33 ___std_exception_copy 29 API calls 11723->11724 11725 6cf0f3f3 11724->11725 11725->11708 11727 6cf10699 11726->11727 11728 6cf106a6 11726->11728 11730 6cf0cc14 __dosmaperr 14 API calls 11727->11730 11729 6cf106ef 11728->11729 11732 6cf106cd 11728->11732 11731 6cf0cc14 __dosmaperr 14 API calls 11729->11731 11736 6cf1069e 11730->11736 11733 6cf106f4 11731->11733 11734 6cf105e6 ___scrt_uninitialize_crt 33 API calls 11732->11734 11735 6cf0cb33 ___std_exception_copy 29 API calls 11733->11735 11734->11736 11735->11736 11736->11706 11737->11712 11738->11697 11740 6cf0966d 11739->11740 11741 6cf09aeb 11739->11741 11743 6cf09b38 11740->11743 11747 6cf0a078 11741->11747 11744 6cf09b43 11743->11744 11746 6cf09b62 11743->11746 11745 6cf09b4d DeleteCriticalSection 11744->11745 11745->11745 11745->11746 11746->11667 11752 6cf09f52 11747->11752 11750 6cf0a0aa TlsFree 11751 6cf0a09e 11750->11751 11751->11740 11753 6cf09f6f 11752->11753 11756 6cf09f73 11752->11756 11753->11750 11753->11751 11754 6cf09fdb GetProcAddress 11754->11753 11756->11753 11756->11754 11757 6cf09fcc 11756->11757 11759 6cf09ff2 LoadLibraryExW 11756->11759 11757->11754 11758 6cf09fd4 FreeLibrary 11757->11758 11758->11754 11760 6cf0a009 GetLastError 11759->11760 11761 6cf0a039 11759->11761 11760->11761 11762 6cf0a014 ___vcrt_FlsFree 11760->11762 11761->11756 11762->11761 11763 6cf0a02a LoadLibraryExW 11762->11763 11763->11756 11769 6cf0be4b 11764->11769 11767 6cf09ae1 ___vcrt_uninitialize_ptd 6 API calls 11768 6cf0833f 11767->11768 11768->11620 11772 6cf0c808 11769->11772 11773 6cf0c812 11772->11773 11774 6cf087d5 11772->11774 11776 6cf0e528 11773->11776 11774->11767 11777 6cf0e405 _unexpected 5 API calls 11776->11777 11778 6cf0e544 11777->11778 11779 6cf0e54d 11778->11779 11780 6cf0e55f TlsFree 11778->11780 11779->11774 11781->11597 12212 6cf119ff 12213 6cf11a08 12212->12213 12214 6cf11aae 12213->12214 12215 6cf11a2f 12213->12215 12221 6cf12ba7 12214->12221 12218 6cf12ad0 12215->12218 12219 6cf12ba7 20 API calls 12215->12219 12220 6cf12ace 12219->12220 12222 6cf12bb0 12221->12222 12225 6cf130cc 12222->12225 12226 6cf1310b __startOneArgErrorHandling 12225->12226 12228 6cf13193 __startOneArgErrorHandling 12226->12228 12233 6cf13572 12226->12233 12230 6cf131c8 12228->12230 12236 6cf13886 12228->12236 12231 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12230->12231 12232 6cf11abe 12231->12232 12243 6cf13595 12233->12243 12237 6cf138aa 12236->12237 12238 6cf13893 12236->12238 12239 6cf0cc14 __dosmaperr 14 API calls 12237->12239 12240 6cf138af 12238->12240 12241 6cf0cc14 __dosmaperr 14 API calls 12238->12241 12239->12240 12240->12230 12242 6cf138a2 12241->12242 12242->12230 12244 6cf135c0 __raise_exc 12243->12244 12245 6cf137b9 RaiseException 12244->12245 12246 6cf13590 12245->12246 12246->12228 10706 27058e1 10710 27058f6 10706->10710 10707 2705aed 10710->10707 10713 2705364 10710->10713 10717 27063f8 10710->10717 10721 2706400 10710->10721 10725 270537c 10710->10725 10714 2706550 CloseHandle 10713->10714 10716 27065be 10714->10716 10716->10710 10718 27063fc 10717->10718 10729 6cf03950 10718->10729 10722 270643e 10721->10722 10724 6cf03950 49 API calls 10722->10724 10723 2706461 10723->10710 10724->10723 10726 27061c0 LoadLibraryW 10725->10726 10728 270623f 10726->10728 10728->10710 10743 6cf03970 CallUnexpected 10729->10743 10730 6cf06abd NtWriteVirtualMemory 10730->10743 10731 6cf048c7 GetConsoleWindow ShowWindow 10759 6cf01210 10731->10759 10733 6cf01210 23 API calls 10733->10743 10735 6cf07088 NtSetContextThread NtResumeThread 10735->10743 10736 6cf05885 NtWriteVirtualMemory 10736->10743 10737 6cf0727b CloseHandle CloseHandle 10737->10743 10738 6cf0741e VirtualAlloc 10739 6cf07483 CallUnexpected 10738->10739 10739->10743 10740 6cf0761c NtWriteVirtualMemory 10740->10743 10741 6cf07554 NtAllocateVirtualMemory 10741->10743 10742 6cf06746 NtWriteVirtualMemory 10742->10743 10743->10730 10743->10731 10743->10733 10743->10735 10743->10736 10743->10737 10743->10738 10743->10740 10743->10741 10743->10742 10744 6cf054ec NtAllocateVirtualMemory 10743->10744 10745 6cf0737d 10743->10745 10748 6cf06d71 NtCreateThreadEx 10743->10748 10749 6cf0553a NtWriteVirtualMemory 10743->10749 10750 6cf03250 7 API calls 10743->10750 10751 6cf078c6 NtCreateThreadEx 10743->10751 10752 6cf05243 NtGetContextThread 10743->10752 10753 6cf050aa CreateProcessW 10743->10753 10754 6cf065a6 NtReadVirtualMemory 10743->10754 10755 6cf05b38 NtWriteVirtualMemory 10743->10755 10756 6cf04d69 VirtualAlloc 10743->10756 10757 6cf053ce NtAllocateVirtualMemory 10743->10757 10758 6cf079a3 NtSetContextThread NtResumeThread 10743->10758 10780 6cf01010 10743->10780 10744->10743 10784 6cf08130 10745->10784 10747 2706461 10747->10710 10748->10743 10749->10743 10750->10743 10751->10743 10752->10743 10753->10743 10754->10743 10755->10743 10756->10743 10757->10743 10758->10743 10776 6cf01238 __InternalCxxFrameHandler 10759->10776 10760 6cf02667 CloseHandle 10760->10776 10761 6cf017e1 GetCurrentProcess 10761->10776 10762 6cf01eac CloseHandle 10762->10776 10763 6cf025f4 MapViewOfFile 10763->10776 10764 6cf01a2a K32GetModuleInformation GetModuleFileNameA CreateFileA 10764->10776 10765 6cf01f90 MapViewOfFile 10765->10776 10766 6cf01b83 CreateFileMappingA 10766->10776 10767 6cf0252a GetCurrentProcess 10767->10776 10768 6cf02519 10769 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 10768->10769 10770 6cf02523 10769->10770 10770->10743 10771 6cf025d6 CloseHandle 10771->10776 10772 6cf02418 CloseHandle CloseHandle 10772->10776 10773 6cf024a3 CloseHandle 10773->10776 10774 6cf02560 CreateFileMappingA 10774->10776 10775 6cf021e6 VirtualProtect 10775->10776 10776->10760 10776->10761 10776->10762 10776->10763 10776->10764 10776->10765 10776->10766 10776->10767 10776->10768 10776->10771 10776->10772 10776->10773 10776->10774 10776->10775 10777 6cf02283 VirtualProtect 10776->10777 10778 6cf018ac CallUnexpected 10776->10778 10777->10776 10779 6cf018d5 GetModuleHandleA 10778->10779 10779->10776 10783 6cf0106f 10780->10783 10781 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 10782 6cf011ed 10781->10782 10782->10743 10783->10781 10785 6cf08138 10784->10785 10786 6cf08139 IsProcessorFeaturePresent 10784->10786 10785->10747 10788 6cf084de 10786->10788 10791 6cf084a1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10788->10791 10790 6cf085c1 10790->10747 10791->10790 12247 6cf09de2 12248 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12247->12248 12249 6cf09df4 ___CxxFrameHandler 12248->12249 12250 6cf0fde5 12254 6cf0fd2e 12250->12254 12251 6cf0fd48 12252 6cf0fd5c 12251->12252 12253 6cf0cc14 __dosmaperr 14 API calls 12251->12253 12255 6cf0fd52 12253->12255 12254->12251 12254->12252 12257 6cf0fd81 12254->12257 12256 6cf0cb33 ___std_exception_copy 29 API calls 12255->12256 12256->12252 12257->12252 12258 6cf0cc14 __dosmaperr 14 API calls 12257->12258 12258->12255 12717 6cf13ee9 12718 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12717->12718 12719 6cf13eff 12718->12719 12720 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12719->12720 12721 6cf13f09 12720->12721 12722 6cf122ea IsProcessorFeaturePresent 12010 6cf0e8ec 12011 6cf0e8f1 12010->12011 12013 6cf0e914 12011->12013 12014 6cf103d2 12011->12014 12015 6cf103df 12014->12015 12019 6cf10401 12014->12019 12016 6cf103fb 12015->12016 12017 6cf103ed DeleteCriticalSection 12015->12017 12018 6cf0cc84 __freea 14 API calls 12016->12018 12017->12016 12017->12017 12018->12019 12019->12011 12259 6cf0adec 12262 6cf097cf 12259->12262 12263 6cf097e1 12262->12263 12264 6cf097f3 12262->12264 12263->12264 12265 6cf097e9 12263->12265 12266 6cf09a0e CallUnexpected 49 API calls 12264->12266 12267 6cf097f1 12265->12267 12269 6cf09a0e CallUnexpected 49 API calls 12265->12269 12268 6cf097f8 12266->12268 12268->12267 12270 6cf09a0e CallUnexpected 49 API calls 12268->12270 12271 6cf09811 12269->12271 12270->12267 12272 6cf09a0e CallUnexpected 49 API calls 12271->12272 12273 6cf0981c 12272->12273 12274 6cf0be5d _unexpected 39 API calls 12273->12274 12275 6cf09824 12274->12275 12020 6cf098d0 12021 6cf098e2 12020->12021 12022 6cf098f0 12020->12022 12023 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12021->12023 12023->12022 12988 6cf0dfd1 GetCommandLineA GetCommandLineW 12109 6cf0b452 12112 6cf0be5d 12109->12112 12113 6cf0be69 __FrameHandler3::FrameUnwindToState 12112->12113 12114 6cf0c537 _unexpected 39 API calls 12113->12114 12117 6cf0be6e 12114->12117 12115 6cf0bf19 CallUnexpected 39 API calls 12116 6cf0be98 12115->12116 12117->12115 12118 6cf0d054 12125 6cf0d4dc 12118->12125 12121 6cf0d06e 12123 6cf0cc84 __freea 14 API calls 12121->12123 12122 6cf0cc84 __freea 14 API calls 12122->12121 12124 6cf0d010 12123->12124 12126 6cf0d4ee 12125->12126 12135 6cf0d05f 12125->12135 12127 6cf0d4f3 12126->12127 12128 6cf0d519 12126->12128 12129 6cf0cc27 _unexpected 14 API calls 12127->12129 12128->12135 12136 6cf0e27f 12128->12136 12130 6cf0d4fc 12129->12130 12132 6cf0cc84 __freea 14 API calls 12130->12132 12132->12135 12133 6cf0d539 12134 6cf0cc84 __freea 14 API calls 12133->12134 12134->12135 12135->12121 12135->12122 12137 6cf0e2a7 12136->12137 12138 6cf0e28c 12136->12138 12140 6cf0e2b6 12137->12140 12145 6cf1023f 12137->12145 12138->12137 12139 6cf0e298 12138->12139 12141 6cf0cc14 __dosmaperr 14 API calls 12139->12141 12152 6cf10272 12140->12152 12144 6cf0e29d CallUnexpected 12141->12144 12144->12133 12146 6cf1024a 12145->12146 12147 6cf1025f HeapSize 12145->12147 12148 6cf0cc14 __dosmaperr 14 API calls 12146->12148 12147->12140 12149 6cf1024f 12148->12149 12150 6cf0cb33 ___std_exception_copy 29 API calls 12149->12150 12151 6cf1025a 12150->12151 12151->12140 12153 6cf1028a 12152->12153 12154 6cf1027f 12152->12154 12155 6cf10292 12153->12155 12163 6cf1029b _unexpected 12153->12163 12156 6cf0f19a 15 API calls 12154->12156 12157 6cf0cc84 __freea 14 API calls 12155->12157 12160 6cf10287 12156->12160 12157->12160 12158 6cf102a0 12161 6cf0cc14 __dosmaperr 14 API calls 12158->12161 12159 6cf102c5 HeapReAlloc 12159->12160 12159->12163 12160->12144 12161->12160 12162 6cf0e9c0 _unexpected 2 API calls 12162->12163 12163->12158 12163->12159 12163->12162 12723 6cf12ad5 12725 6cf12afd 12723->12725 12724 6cf12b35 12725->12724 12726 6cf12b27 12725->12726 12727 6cf12b2e 12725->12727 12728 6cf12ba7 20 API calls 12726->12728 12732 6cf12b90 12727->12732 12731 6cf12b2c 12728->12731 12733 6cf12bb0 12732->12733 12734 6cf130cc __startOneArgErrorHandling 20 API calls 12733->12734 12735 6cf12b33 12734->12735 12736 6cf0e6d5 12738 6cf0e6e0 12736->12738 12739 6cf0e706 12736->12739 12737 6cf0e6f0 FreeLibrary 12737->12738 12738->12737 12738->12739 12276 6cf12dd7 12278 6cf12df0 __startOneArgErrorHandling 12276->12278 12277 6cf12e41 __startOneArgErrorHandling 12278->12277 12280 6cf13224 12278->12280 12281 6cf1325d __startOneArgErrorHandling 12280->12281 12282 6cf13595 __raise_exc RaiseException 12281->12282 12283 6cf13284 __startOneArgErrorHandling 12281->12283 12282->12283 12284 6cf132c7 12283->12284 12286 6cf132a2 12283->12286 12285 6cf13886 __startOneArgErrorHandling 14 API calls 12284->12285 12288 6cf132c2 __startOneArgErrorHandling 12285->12288 12291 6cf138b7 12286->12291 12289 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12288->12289 12290 6cf132eb 12289->12290 12290->12277 12292 6cf138c4 12291->12292 12293 6cf138d3 __startOneArgErrorHandling 12292->12293 12295 6cf13902 __startOneArgErrorHandling 12292->12295 12294 6cf13886 __startOneArgErrorHandling 14 API calls 12293->12294 12296 6cf138ec 12294->12296 12297 6cf13950 12295->12297 12298 6cf13886 __startOneArgErrorHandling 14 API calls 12295->12298 12296->12288 12297->12288 12298->12297 12364 6cf0bd59 12365 6cf0cc84 __freea 14 API calls 12364->12365 12366 6cf0bd67 12365->12366 12367 6cf0cc84 __freea 14 API calls 12366->12367 12368 6cf0bd7a 12367->12368 12369 6cf0cc84 __freea 14 API calls 12368->12369 12370 6cf0bd8b 12369->12370 12371 6cf0cc84 __freea 14 API calls 12370->12371 12372 6cf0bd9c 12371->12372 12740 6cf0fad9 12743 6cf0f88e 12740->12743 12741 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12742 6cf0f89b 12741->12742 12743->12741 12743->12743 12989 6cf0c7dc 12997 6cf0e4e9 12989->12997 12992 6cf0c7f0 12993 6cf0c688 __dosmaperr 14 API calls 12994 6cf0c7f8 12993->12994 12995 6cf0c805 12994->12995 12996 6cf0c808 __DllMainCRTStartup@12 6 API calls 12994->12996 12996->12992 12998 6cf0e405 _unexpected 5 API calls 12997->12998 12999 6cf0e505 12998->12999 13000 6cf0e51d TlsAlloc 12999->13000 13001 6cf0c7e6 12999->13001 13000->13001 13001->12992 13001->12993 12164 6cf0f05e 12165 6cf0f06b 12164->12165 12166 6cf0cc27 _unexpected 14 API calls 12165->12166 12167 6cf0f085 12166->12167 12168 6cf0cc84 __freea 14 API calls 12167->12168 12169 6cf0f091 12168->12169 12170 6cf0cc27 _unexpected 14 API calls 12169->12170 12173 6cf0f0b7 12169->12173 12171 6cf0f0ab 12170->12171 12174 6cf0cc84 __freea 14 API calls 12171->12174 12172 6cf0e5e8 6 API calls 12172->12173 12173->12172 12175 6cf0f0c3 12173->12175 12174->12173 12744 6cf096de 12747 6cf0972c 12744->12747 12748 6cf096e9 12747->12748 12749 6cf09735 12747->12749 12749->12748 12750 6cf09a0e CallUnexpected 49 API calls 12749->12750 12751 6cf09770 12750->12751 12752 6cf09a0e CallUnexpected 49 API calls 12751->12752 12753 6cf0977b 12752->12753 12754 6cf0be5d _unexpected 39 API calls 12753->12754 12755 6cf09783 12754->12755 12756 6cf11ac1 12757 6cf11ae5 12756->12757 12759 6cf11bc1 __startOneArgErrorHandling 12757->12759 12760 6cf11b36 12757->12760 12758 6cf11b48 12762 6cf13224 20 API calls 12759->12762 12763 6cf12e41 __startOneArgErrorHandling 12759->12763 12760->12758 12764 6cf12be3 12760->12764 12762->12763 12765 6cf12bf6 DecodePointer 12764->12765 12766 6cf12c06 12764->12766 12765->12766 12767 6cf12c4a 12766->12767 12768 6cf12c91 12766->12768 12769 6cf12c35 12766->12769 12767->12768 12770 6cf0cc14 __dosmaperr 14 API calls 12767->12770 12768->12758 12769->12768 12771 6cf0cc14 __dosmaperr 14 API calls 12769->12771 12770->12768 12771->12768 13042 6cf0a341 13043 6cf0bf19 CallUnexpected 39 API calls 13042->13043 13044 6cf0a349 13043->13044 13045 6cf0a369 13044->13045 13046 6cf0a2b1 __InternalCxxFrameHandler 39 API calls 13044->13046 13053 6cf09d8f RtlUnwind 13045->13053 13046->13045 13048 6cf0a37e 13049 6cf0ad6a __FrameHandler3::FrameUnwindToState 49 API calls 13048->13049 13050 6cf0a38f __FrameHandler3::FrameUnwindToState 13049->13050 13051 6cf0aafa __InternalCxxFrameHandler 50 API calls 13050->13051 13052 6cf0a3b7 __InternalCxxFrameHandler 13051->13052 13053->13048 12373 6cf0bd42 12376 6cf0bdc8 12373->12376 12377 6cf0bd55 12376->12377 12378 6cf0bddc 12376->12378 12378->12377 12379 6cf0cc84 __freea 14 API calls 12378->12379 12379->12377 10792 6cf0b947 10807 6cf0dc88 10792->10807 10797 6cf0b963 10835 6cf0cc84 10797->10835 10798 6cf0b96f 10841 6cf0b9a0 10798->10841 10803 6cf0cc84 __freea 14 API calls 10804 6cf0b993 10803->10804 10805 6cf0cc84 __freea 14 API calls 10804->10805 10806 6cf0b999 10805->10806 10808 6cf0dc91 10807->10808 10809 6cf0b958 10807->10809 10863 6cf0c5f2 10808->10863 10813 6cf0e1df GetEnvironmentStringsW 10809->10813 10814 6cf0e1f7 10813->10814 10815 6cf0b95d 10813->10815 10816 6cf0e13c ___scrt_uninitialize_crt WideCharToMultiByte 10814->10816 10815->10797 10815->10798 10817 6cf0e214 10816->10817 10818 6cf0e229 10817->10818 10819 6cf0e21e FreeEnvironmentStringsW 10817->10819 10820 6cf0f19a 15 API calls 10818->10820 10819->10815 10821 6cf0e230 10820->10821 10822 6cf0e238 10821->10822 10823 6cf0e249 10821->10823 10825 6cf0cc84 __freea 14 API calls 10822->10825 10824 6cf0e13c ___scrt_uninitialize_crt WideCharToMultiByte 10823->10824 10826 6cf0e259 10824->10826 10827 6cf0e23d FreeEnvironmentStringsW 10825->10827 10828 6cf0e260 10826->10828 10829 6cf0e268 10826->10829 10830 6cf0e27a 10827->10830 10831 6cf0cc84 __freea 14 API calls 10828->10831 10832 6cf0cc84 __freea 14 API calls 10829->10832 10830->10815 10833 6cf0e266 FreeEnvironmentStringsW 10831->10833 10832->10833 10833->10830 10836 6cf0b969 10835->10836 10837 6cf0cc8f HeapFree 10835->10837 10837->10836 10838 6cf0cca4 GetLastError 10837->10838 10839 6cf0ccb1 __dosmaperr 10838->10839 10840 6cf0cc14 __dosmaperr 12 API calls 10839->10840 10840->10836 10842 6cf0b9b5 10841->10842 10843 6cf0cc27 _unexpected 14 API calls 10842->10843 10844 6cf0b9dc 10843->10844 10845 6cf0b9e4 10844->10845 10851 6cf0b9ee 10844->10851 10846 6cf0cc84 __freea 14 API calls 10845->10846 10847 6cf0b976 10846->10847 10847->10803 10848 6cf0ba4b 10849 6cf0cc84 __freea 14 API calls 10848->10849 10849->10847 10850 6cf0cc27 _unexpected 14 API calls 10850->10851 10851->10848 10851->10850 10852 6cf0ba5a 10851->10852 10857 6cf0ba75 10851->10857 10859 6cf0cc84 __freea 14 API calls 10851->10859 11551 6cf0bebf 10851->11551 11560 6cf0ba82 10852->11560 10856 6cf0cc84 __freea 14 API calls 10858 6cf0ba67 10856->10858 10860 6cf0cb43 ___std_exception_copy 11 API calls 10857->10860 10861 6cf0cc84 __freea 14 API calls 10858->10861 10859->10851 10862 6cf0ba81 10860->10862 10861->10847 10864 6cf0c5fd 10863->10864 10867 6cf0c603 10863->10867 10911 6cf0e567 10864->10911 10869 6cf0c609 10867->10869 10916 6cf0e5a6 10867->10916 10872 6cf0c60e 10869->10872 10933 6cf0bf19 10869->10933 10888 6cf0da93 10872->10888 10875 6cf0c635 10877 6cf0e5a6 _unexpected 6 API calls 10875->10877 10876 6cf0c64a 10878 6cf0e5a6 _unexpected 6 API calls 10876->10878 10879 6cf0c641 10877->10879 10880 6cf0c656 10878->10880 10883 6cf0cc84 __freea 14 API calls 10879->10883 10881 6cf0c669 10880->10881 10882 6cf0c65a 10880->10882 10928 6cf0c339 10881->10928 10884 6cf0e5a6 _unexpected 6 API calls 10882->10884 10883->10869 10884->10879 10887 6cf0cc84 __freea 14 API calls 10887->10872 11347 6cf0dbe8 10888->11347 10893 6cf0dad6 10893->10809 10896 6cf0dafd 11372 6cf0dce3 10896->11372 10897 6cf0daef 10899 6cf0cc84 __freea 14 API calls 10897->10899 10899->10893 10901 6cf0db50 10908 6cf0cc84 __freea 14 API calls 10901->10908 10910 6cf0db7c 10901->10910 10902 6cf0db35 10903 6cf0cc14 __dosmaperr 14 API calls 10902->10903 10904 6cf0db3a 10903->10904 10905 6cf0cc84 __freea 14 API calls 10904->10905 10905->10893 10907 6cf0cc84 __freea 14 API calls 10907->10893 10908->10910 10909 6cf0dbc5 10909->10907 10910->10909 11383 6cf0d70c 10910->11383 10944 6cf0e405 10911->10944 10913 6cf0e583 10914 6cf0e58c 10913->10914 10915 6cf0e59e TlsGetValue 10913->10915 10914->10867 10917 6cf0e405 _unexpected 5 API calls 10916->10917 10918 6cf0e5c2 10917->10918 10919 6cf0e5e0 TlsSetValue 10918->10919 10920 6cf0c61d 10918->10920 10920->10869 10921 6cf0cc27 10920->10921 10922 6cf0cc34 _unexpected 10921->10922 10923 6cf0cc74 10922->10923 10924 6cf0cc5f HeapAlloc 10922->10924 10958 6cf0e9c0 10922->10958 10961 6cf0cc14 10923->10961 10924->10922 10925 6cf0c62d 10924->10925 10925->10875 10925->10876 10998 6cf0c1cd 10928->10998 11140 6cf0eb15 10933->11140 10937 6cf0bf33 IsProcessorFeaturePresent 10940 6cf0bf3f 10937->10940 10939 6cf0bf29 10939->10937 10943 6cf0bf52 10939->10943 11170 6cf0c937 10940->11170 11176 6cf0b61e 10943->11176 10945 6cf0e435 10944->10945 10949 6cf0e431 _unexpected 10944->10949 10945->10949 10950 6cf0e33a 10945->10950 10948 6cf0e44f GetProcAddress 10948->10949 10949->10913 10956 6cf0e34b ___vcrt_FlsFree 10950->10956 10951 6cf0e3e1 10951->10948 10951->10949 10952 6cf0e369 LoadLibraryExW 10953 6cf0e384 GetLastError 10952->10953 10954 6cf0e3e8 10952->10954 10953->10956 10954->10951 10955 6cf0e3fa FreeLibrary 10954->10955 10955->10951 10956->10951 10956->10952 10957 6cf0e3b7 LoadLibraryExW 10956->10957 10957->10954 10957->10956 10964 6cf0e9ec 10958->10964 10975 6cf0c688 GetLastError 10961->10975 10963 6cf0cc19 10963->10925 10965 6cf0e9f8 __FrameHandler3::FrameUnwindToState 10964->10965 10970 6cf0c863 EnterCriticalSection 10965->10970 10967 6cf0ea03 CallUnexpected 10971 6cf0ea3a 10967->10971 10970->10967 10974 6cf0c8ab LeaveCriticalSection 10971->10974 10973 6cf0e9cb 10973->10922 10974->10973 10976 6cf0c69e 10975->10976 10980 6cf0c6a4 10975->10980 10978 6cf0e567 _unexpected 6 API calls 10976->10978 10977 6cf0e5a6 _unexpected 6 API calls 10979 6cf0c6c0 10977->10979 10978->10980 10982 6cf0cc27 _unexpected 12 API calls 10979->10982 10995 6cf0c6a8 SetLastError 10979->10995 10980->10977 10980->10995 10983 6cf0c6d5 10982->10983 10984 6cf0c6dd 10983->10984 10985 6cf0c6ee 10983->10985 10986 6cf0e5a6 _unexpected 6 API calls 10984->10986 10987 6cf0e5a6 _unexpected 6 API calls 10985->10987 10988 6cf0c6eb 10986->10988 10989 6cf0c6fa 10987->10989 10992 6cf0cc84 __freea 12 API calls 10988->10992 10990 6cf0c715 10989->10990 10991 6cf0c6fe 10989->10991 10993 6cf0c339 _unexpected 12 API calls 10990->10993 10994 6cf0e5a6 _unexpected 6 API calls 10991->10994 10992->10995 10996 6cf0c720 10993->10996 10994->10988 10995->10963 10997 6cf0cc84 __freea 12 API calls 10996->10997 10997->10995 10999 6cf0c1d9 __FrameHandler3::FrameUnwindToState 10998->10999 11012 6cf0c863 EnterCriticalSection 10999->11012 11001 6cf0c1e3 11013 6cf0c213 11001->11013 11004 6cf0c2df 11005 6cf0c2eb __FrameHandler3::FrameUnwindToState 11004->11005 11017 6cf0c863 EnterCriticalSection 11005->11017 11007 6cf0c2f5 11018 6cf0c4c0 11007->11018 11009 6cf0c30d 11022 6cf0c32d 11009->11022 11012->11001 11016 6cf0c8ab LeaveCriticalSection 11013->11016 11015 6cf0c201 11015->11004 11016->11015 11017->11007 11019 6cf0c4cf _unexpected 11018->11019 11020 6cf0c4f6 _unexpected 11018->11020 11019->11020 11025 6cf0f51b 11019->11025 11020->11009 11139 6cf0c8ab LeaveCriticalSection 11022->11139 11024 6cf0c31b 11024->10887 11026 6cf0f59b 11025->11026 11030 6cf0f531 11025->11030 11027 6cf0f5e9 11026->11027 11029 6cf0cc84 __freea 14 API calls 11026->11029 11093 6cf0f68c 11027->11093 11031 6cf0f5bd 11029->11031 11030->11026 11032 6cf0f564 11030->11032 11037 6cf0cc84 __freea 14 API calls 11030->11037 11033 6cf0cc84 __freea 14 API calls 11031->11033 11034 6cf0f586 11032->11034 11041 6cf0cc84 __freea 14 API calls 11032->11041 11035 6cf0f5d0 11033->11035 11036 6cf0cc84 __freea 14 API calls 11034->11036 11040 6cf0cc84 __freea 14 API calls 11035->11040 11042 6cf0f590 11036->11042 11039 6cf0f559 11037->11039 11038 6cf0f5f7 11043 6cf0f657 11038->11043 11052 6cf0cc84 14 API calls __freea 11038->11052 11053 6cf11499 11039->11053 11045 6cf0f5de 11040->11045 11046 6cf0f57b 11041->11046 11047 6cf0cc84 __freea 14 API calls 11042->11047 11048 6cf0cc84 __freea 14 API calls 11043->11048 11050 6cf0cc84 __freea 14 API calls 11045->11050 11081 6cf11597 11046->11081 11047->11026 11049 6cf0f65d 11048->11049 11049->11020 11050->11027 11052->11038 11054 6cf114aa 11053->11054 11080 6cf11593 11053->11080 11055 6cf114bb 11054->11055 11056 6cf0cc84 __freea 14 API calls 11054->11056 11057 6cf114cd 11055->11057 11058 6cf0cc84 __freea 14 API calls 11055->11058 11056->11055 11059 6cf114df 11057->11059 11061 6cf0cc84 __freea 14 API calls 11057->11061 11058->11057 11060 6cf114f1 11059->11060 11062 6cf0cc84 __freea 14 API calls 11059->11062 11063 6cf11503 11060->11063 11064 6cf0cc84 __freea 14 API calls 11060->11064 11061->11059 11062->11060 11065 6cf11515 11063->11065 11066 6cf0cc84 __freea 14 API calls 11063->11066 11064->11063 11067 6cf11527 11065->11067 11069 6cf0cc84 __freea 14 API calls 11065->11069 11066->11065 11068 6cf11539 11067->11068 11070 6cf0cc84 __freea 14 API calls 11067->11070 11071 6cf1154b 11068->11071 11072 6cf0cc84 __freea 14 API calls 11068->11072 11069->11067 11070->11068 11073 6cf1155d 11071->11073 11074 6cf0cc84 __freea 14 API calls 11071->11074 11072->11071 11075 6cf0cc84 __freea 14 API calls 11073->11075 11076 6cf1156f 11073->11076 11074->11073 11075->11076 11077 6cf0cc84 __freea 14 API calls 11076->11077 11078 6cf11581 11076->11078 11077->11078 11079 6cf0cc84 __freea 14 API calls 11078->11079 11078->11080 11079->11080 11080->11032 11082 6cf115a4 11081->11082 11092 6cf115fc 11081->11092 11083 6cf115b4 11082->11083 11084 6cf0cc84 __freea 14 API calls 11082->11084 11085 6cf115c6 11083->11085 11086 6cf0cc84 __freea 14 API calls 11083->11086 11084->11083 11087 6cf115d8 11085->11087 11089 6cf0cc84 __freea 14 API calls 11085->11089 11086->11085 11088 6cf115ea 11087->11088 11090 6cf0cc84 __freea 14 API calls 11087->11090 11091 6cf0cc84 __freea 14 API calls 11088->11091 11088->11092 11089->11087 11090->11088 11091->11092 11092->11034 11094 6cf0f699 11093->11094 11095 6cf0f6b8 11093->11095 11094->11095 11099 6cf11625 11094->11099 11095->11038 11098 6cf0cc84 __freea 14 API calls 11098->11095 11100 6cf0f6b2 11099->11100 11101 6cf11636 11099->11101 11100->11098 11135 6cf11600 11101->11135 11104 6cf11600 _unexpected 14 API calls 11105 6cf11649 11104->11105 11106 6cf11600 _unexpected 14 API calls 11105->11106 11107 6cf11654 11106->11107 11108 6cf11600 _unexpected 14 API calls 11107->11108 11109 6cf1165f 11108->11109 11110 6cf11600 _unexpected 14 API calls 11109->11110 11111 6cf1166d 11110->11111 11112 6cf0cc84 __freea 14 API calls 11111->11112 11113 6cf11678 11112->11113 11114 6cf0cc84 __freea 14 API calls 11113->11114 11115 6cf11683 11114->11115 11116 6cf0cc84 __freea 14 API calls 11115->11116 11117 6cf1168e 11116->11117 11118 6cf11600 _unexpected 14 API calls 11117->11118 11119 6cf1169c 11118->11119 11120 6cf11600 _unexpected 14 API calls 11119->11120 11121 6cf116aa 11120->11121 11122 6cf11600 _unexpected 14 API calls 11121->11122 11123 6cf116bb 11122->11123 11124 6cf11600 _unexpected 14 API calls 11123->11124 11125 6cf116c9 11124->11125 11126 6cf11600 _unexpected 14 API calls 11125->11126 11127 6cf116d7 11126->11127 11128 6cf0cc84 __freea 14 API calls 11127->11128 11129 6cf116e2 11128->11129 11130 6cf0cc84 __freea 14 API calls 11129->11130 11131 6cf116ed 11130->11131 11132 6cf0cc84 __freea 14 API calls 11131->11132 11133 6cf116f8 11132->11133 11134 6cf0cc84 __freea 14 API calls 11133->11134 11134->11100 11136 6cf11612 11135->11136 11137 6cf11621 11136->11137 11138 6cf0cc84 __freea 14 API calls 11136->11138 11137->11104 11138->11136 11139->11024 11179 6cf0ea43 11140->11179 11143 6cf0eb5a 11145 6cf0eb66 __FrameHandler3::FrameUnwindToState 11143->11145 11144 6cf0c688 __dosmaperr 14 API calls 11152 6cf0eb97 CallUnexpected 11144->11152 11145->11144 11146 6cf0ebb6 11145->11146 11148 6cf0ebc8 CallUnexpected 11145->11148 11145->11152 11147 6cf0cc14 __dosmaperr 14 API calls 11146->11147 11150 6cf0ebbb 11147->11150 11149 6cf0ebfe CallUnexpected 11148->11149 11193 6cf0c863 EnterCriticalSection 11148->11193 11155 6cf0ed38 11149->11155 11156 6cf0ec3b 11149->11156 11166 6cf0ec69 11149->11166 11190 6cf0cb33 11150->11190 11152->11146 11152->11148 11169 6cf0eba0 11152->11169 11157 6cf0ed43 11155->11157 11225 6cf0c8ab LeaveCriticalSection 11155->11225 11156->11166 11194 6cf0c537 GetLastError 11156->11194 11160 6cf0b61e CallUnexpected 21 API calls 11157->11160 11161 6cf0ed4b 11160->11161 11163 6cf0c537 _unexpected 39 API calls 11167 6cf0ecbe 11163->11167 11165 6cf0c537 _unexpected 39 API calls 11165->11166 11221 6cf0ece4 11166->11221 11168 6cf0c537 _unexpected 39 API calls 11167->11168 11167->11169 11168->11169 11169->10939 11171 6cf0c953 CallUnexpected 11170->11171 11172 6cf0c97f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11171->11172 11175 6cf0ca50 CallUnexpected 11172->11175 11173 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 11174 6cf0ca6e 11173->11174 11174->10943 11175->11173 11275 6cf0b45b 11176->11275 11180 6cf0ea4f __FrameHandler3::FrameUnwindToState 11179->11180 11185 6cf0c863 EnterCriticalSection 11180->11185 11182 6cf0ea5d 11186 6cf0ea9f 11182->11186 11185->11182 11189 6cf0c8ab LeaveCriticalSection 11186->11189 11188 6cf0bf1e 11188->10939 11188->11143 11189->11188 11226 6cf0ca7f 11190->11226 11192 6cf0cb3f 11192->11169 11193->11149 11195 6cf0c553 11194->11195 11196 6cf0c54d 11194->11196 11198 6cf0e5a6 _unexpected 6 API calls 11195->11198 11200 6cf0c557 SetLastError 11195->11200 11197 6cf0e567 _unexpected 6 API calls 11196->11197 11197->11195 11199 6cf0c56f 11198->11199 11199->11200 11201 6cf0cc27 _unexpected 14 API calls 11199->11201 11204 6cf0c5e7 11200->11204 11205 6cf0c5ec 11200->11205 11203 6cf0c584 11201->11203 11206 6cf0c58c 11203->11206 11207 6cf0c59d 11203->11207 11204->11165 11208 6cf0bf19 CallUnexpected 37 API calls 11205->11208 11209 6cf0e5a6 _unexpected 6 API calls 11206->11209 11210 6cf0e5a6 _unexpected 6 API calls 11207->11210 11211 6cf0c5f1 11208->11211 11212 6cf0c59a 11209->11212 11213 6cf0c5a9 11210->11213 11217 6cf0cc84 __freea 14 API calls 11212->11217 11214 6cf0c5c4 11213->11214 11215 6cf0c5ad 11213->11215 11218 6cf0c339 _unexpected 14 API calls 11214->11218 11216 6cf0e5a6 _unexpected 6 API calls 11215->11216 11216->11212 11217->11200 11219 6cf0c5cf 11218->11219 11220 6cf0cc84 __freea 14 API calls 11219->11220 11220->11200 11222 6cf0ecb0 11221->11222 11223 6cf0ece8 11221->11223 11222->11163 11222->11167 11222->11169 11274 6cf0c8ab LeaveCriticalSection 11223->11274 11225->11157 11227 6cf0ca91 ___std_exception_copy 11226->11227 11230 6cf0cab6 11227->11230 11229 6cf0caa9 ___std_exception_copy 11229->11192 11231 6cf0cacd 11230->11231 11232 6cf0cac6 11230->11232 11236 6cf0cadb 11231->11236 11245 6cf0c90e 11231->11245 11241 6cf0c000 GetLastError 11232->11241 11235 6cf0cb02 11235->11236 11248 6cf0cb43 IsProcessorFeaturePresent 11235->11248 11236->11229 11238 6cf0cb32 11239 6cf0ca7f ___std_exception_copy 29 API calls 11238->11239 11240 6cf0cb3f 11239->11240 11240->11229 11242 6cf0c019 11241->11242 11252 6cf0c739 11242->11252 11246 6cf0c932 11245->11246 11247 6cf0c919 GetLastError SetLastError 11245->11247 11246->11235 11247->11235 11249 6cf0cb4f 11248->11249 11250 6cf0c937 CallUnexpected 8 API calls 11249->11250 11251 6cf0cb64 GetCurrentProcess TerminateProcess 11250->11251 11251->11238 11253 6cf0c74c 11252->11253 11257 6cf0c752 11252->11257 11255 6cf0e567 _unexpected 6 API calls 11253->11255 11254 6cf0e5a6 _unexpected 6 API calls 11256 6cf0c76c 11254->11256 11255->11257 11258 6cf0c035 SetLastError 11256->11258 11259 6cf0cc27 _unexpected 14 API calls 11256->11259 11257->11254 11257->11258 11258->11231 11260 6cf0c77c 11259->11260 11261 6cf0c784 11260->11261 11262 6cf0c799 11260->11262 11263 6cf0e5a6 _unexpected 6 API calls 11261->11263 11264 6cf0e5a6 _unexpected 6 API calls 11262->11264 11265 6cf0c790 11263->11265 11266 6cf0c7a5 11264->11266 11270 6cf0cc84 __freea 14 API calls 11265->11270 11267 6cf0c7b8 11266->11267 11268 6cf0c7a9 11266->11268 11269 6cf0c339 _unexpected 14 API calls 11267->11269 11271 6cf0e5a6 _unexpected 6 API calls 11268->11271 11272 6cf0c7c3 11269->11272 11270->11258 11271->11265 11273 6cf0cc84 __freea 14 API calls 11272->11273 11273->11258 11274->11222 11276 6cf0b488 11275->11276 11277 6cf0b499 11275->11277 11286 6cf0b523 GetModuleHandleW 11276->11286 11293 6cf0b30b 11277->11293 11282 6cf0b4d7 11287 6cf0b48d 11286->11287 11287->11277 11288 6cf0b57e GetModuleHandleExW 11287->11288 11289 6cf0b5bd GetProcAddress 11288->11289 11290 6cf0b5d1 11288->11290 11289->11290 11291 6cf0b5e4 FreeLibrary 11290->11291 11292 6cf0b5ed 11290->11292 11291->11292 11292->11277 11294 6cf0b317 __FrameHandler3::FrameUnwindToState 11293->11294 11308 6cf0c863 EnterCriticalSection 11294->11308 11296 6cf0b321 11309 6cf0b373 11296->11309 11298 6cf0b32e 11313 6cf0b34c 11298->11313 11301 6cf0b4f2 11337 6cf0b565 11301->11337 11303 6cf0b4fc 11304 6cf0b510 11303->11304 11305 6cf0b500 GetCurrentProcess TerminateProcess 11303->11305 11306 6cf0b57e CallUnexpected 3 API calls 11304->11306 11305->11304 11307 6cf0b518 ExitProcess 11306->11307 11308->11296 11311 6cf0b37f __FrameHandler3::FrameUnwindToState CallUnexpected 11309->11311 11310 6cf0b3e3 CallUnexpected 11310->11298 11311->11310 11316 6cf0bc72 11311->11316 11336 6cf0c8ab LeaveCriticalSection 11313->11336 11315 6cf0b33a 11315->11282 11315->11301 11317 6cf0bc7e __EH_prolog3 11316->11317 11320 6cf0bb3d 11317->11320 11319 6cf0bca5 __DllMainCRTStartup@12 11319->11310 11321 6cf0bb49 __FrameHandler3::FrameUnwindToState 11320->11321 11328 6cf0c863 EnterCriticalSection 11321->11328 11323 6cf0bb57 11329 6cf0bb98 11323->11329 11328->11323 11330 6cf0bb64 11329->11330 11331 6cf0bbb7 11329->11331 11333 6cf0bb8c 11330->11333 11331->11330 11332 6cf0cc84 __freea 14 API calls 11331->11332 11332->11330 11334 6cf0c8ab CallUnexpected LeaveCriticalSection 11333->11334 11335 6cf0bb75 11334->11335 11335->11319 11336->11315 11340 6cf0c8e7 11337->11340 11339 6cf0b56a CallUnexpected 11339->11303 11341 6cf0c8f6 CallUnexpected 11340->11341 11342 6cf0c903 11341->11342 11344 6cf0e48a 11341->11344 11342->11339 11345 6cf0e405 _unexpected 5 API calls 11344->11345 11346 6cf0e4a6 11345->11346 11346->11342 11348 6cf0dbf4 __FrameHandler3::FrameUnwindToState 11347->11348 11349 6cf0dc0e 11348->11349 11391 6cf0c863 EnterCriticalSection 11348->11391 11351 6cf0dabd 11349->11351 11353 6cf0bf19 CallUnexpected 39 API calls 11349->11353 11358 6cf0d81a 11351->11358 11352 6cf0dc4a 11392 6cf0dc67 11352->11392 11355 6cf0dc87 11353->11355 11356 6cf0dc1e 11356->11352 11357 6cf0cc84 __freea 14 API calls 11356->11357 11357->11352 11396 6cf0d31e 11358->11396 11361 6cf0d83b GetOEMCP 11364 6cf0d864 11361->11364 11362 6cf0d84d 11363 6cf0d852 GetACP 11362->11363 11362->11364 11363->11364 11364->10893 11365 6cf0f19a 11364->11365 11366 6cf0f1d8 11365->11366 11371 6cf0f1a8 _unexpected 11365->11371 11367 6cf0cc14 __dosmaperr 14 API calls 11366->11367 11369 6cf0dae7 11367->11369 11368 6cf0f1c3 HeapAlloc 11368->11369 11368->11371 11369->10896 11369->10897 11370 6cf0e9c0 _unexpected 2 API calls 11370->11371 11371->11366 11371->11368 11371->11370 11373 6cf0d81a 41 API calls 11372->11373 11374 6cf0dd03 11373->11374 11376 6cf0dd40 IsValidCodePage 11374->11376 11381 6cf0de08 11374->11381 11382 6cf0dd5b CallUnexpected 11374->11382 11375 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 11377 6cf0db2a 11375->11377 11378 6cf0dd52 11376->11378 11376->11381 11377->10901 11377->10902 11379 6cf0dd7b GetCPInfo 11378->11379 11378->11382 11379->11381 11379->11382 11381->11375 11439 6cf0d8ee 11382->11439 11384 6cf0d718 __FrameHandler3::FrameUnwindToState 11383->11384 11525 6cf0c863 EnterCriticalSection 11384->11525 11386 6cf0d722 11526 6cf0d759 11386->11526 11391->11356 11395 6cf0c8ab LeaveCriticalSection 11392->11395 11394 6cf0dc6e 11394->11349 11395->11394 11397 6cf0d335 11396->11397 11398 6cf0d33c 11396->11398 11397->11361 11397->11362 11398->11397 11399 6cf0c537 _unexpected 39 API calls 11398->11399 11400 6cf0d35d 11399->11400 11404 6cf0f1e8 11400->11404 11405 6cf0d373 11404->11405 11406 6cf0f1fb 11404->11406 11408 6cf0f246 11405->11408 11406->11405 11412 6cf0f767 11406->11412 11409 6cf0f26e 11408->11409 11410 6cf0f259 11408->11410 11409->11397 11410->11409 11434 6cf0dcd0 11410->11434 11413 6cf0f773 __FrameHandler3::FrameUnwindToState 11412->11413 11414 6cf0c537 _unexpected 39 API calls 11413->11414 11415 6cf0f77c 11414->11415 11416 6cf0f7c2 11415->11416 11425 6cf0c863 EnterCriticalSection 11415->11425 11416->11405 11418 6cf0f79a 11426 6cf0f7e8 11418->11426 11423 6cf0bf19 CallUnexpected 39 API calls 11424 6cf0f7e7 11423->11424 11425->11418 11427 6cf0f7ab 11426->11427 11428 6cf0f7f6 _unexpected 11426->11428 11430 6cf0f7c7 11427->11430 11428->11427 11429 6cf0f51b _unexpected 14 API calls 11428->11429 11429->11427 11433 6cf0c8ab LeaveCriticalSection 11430->11433 11432 6cf0f7be 11432->11416 11432->11423 11433->11432 11435 6cf0c537 _unexpected 39 API calls 11434->11435 11436 6cf0dcd5 11435->11436 11437 6cf0dbe8 ___scrt_uninitialize_crt 39 API calls 11436->11437 11438 6cf0dce0 11437->11438 11438->11409 11440 6cf0d916 GetCPInfo 11439->11440 11441 6cf0d9df 11439->11441 11440->11441 11442 6cf0d92e 11440->11442 11444 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 11441->11444 11450 6cf0fed4 11442->11450 11446 6cf0da91 11444->11446 11446->11381 11449 6cf101e7 43 API calls 11449->11441 11451 6cf0d31e 39 API calls 11450->11451 11452 6cf0fef4 11451->11452 11470 6cf0e082 11452->11470 11454 6cf0ffb0 11456 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 11454->11456 11455 6cf0ffa8 11473 6cf0ffd5 11455->11473 11459 6cf0d996 11456->11459 11457 6cf0ff21 11457->11454 11457->11455 11458 6cf0f19a 15 API calls 11457->11458 11461 6cf0ff46 CallUnexpected __alloca_probe_16 11457->11461 11458->11461 11465 6cf101e7 11459->11465 11461->11455 11462 6cf0e082 ___scrt_uninitialize_crt MultiByteToWideChar 11461->11462 11463 6cf0ff8f 11462->11463 11463->11455 11464 6cf0ff96 GetStringTypeW 11463->11464 11464->11455 11466 6cf0d31e 39 API calls 11465->11466 11467 6cf101fa 11466->11467 11479 6cf0fff8 11467->11479 11477 6cf0dfea 11470->11477 11474 6cf0ffe1 11473->11474 11475 6cf0fff2 11473->11475 11474->11475 11476 6cf0cc84 __freea 14 API calls 11474->11476 11475->11454 11476->11475 11478 6cf0dffb MultiByteToWideChar 11477->11478 11478->11457 11480 6cf10013 11479->11480 11481 6cf0e082 ___scrt_uninitialize_crt MultiByteToWideChar 11480->11481 11486 6cf10057 11481->11486 11482 6cf101d2 11484 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 11482->11484 11483 6cf10125 11488 6cf0ffd5 __freea 14 API calls 11483->11488 11485 6cf0d9b7 11484->11485 11485->11449 11486->11482 11486->11483 11487 6cf0f19a 15 API calls 11486->11487 11489 6cf1007d __alloca_probe_16 11486->11489 11487->11489 11488->11482 11489->11483 11490 6cf0e082 ___scrt_uninitialize_crt MultiByteToWideChar 11489->11490 11491 6cf100c6 11490->11491 11491->11483 11507 6cf0e633 11491->11507 11494 6cf10134 11496 6cf101bd 11494->11496 11497 6cf0f19a 15 API calls 11494->11497 11500 6cf10146 __alloca_probe_16 11494->11500 11495 6cf100fc 11495->11483 11499 6cf0e633 6 API calls 11495->11499 11498 6cf0ffd5 __freea 14 API calls 11496->11498 11497->11500 11498->11483 11499->11483 11500->11496 11501 6cf0e633 6 API calls 11500->11501 11502 6cf10189 11501->11502 11502->11496 11513 6cf0e13c 11502->11513 11504 6cf101a3 11504->11496 11505 6cf101ac 11504->11505 11506 6cf0ffd5 __freea 14 API calls 11505->11506 11506->11483 11516 6cf0e306 11507->11516 11511 6cf0e684 LCMapStringW 11512 6cf0e644 11511->11512 11512->11483 11512->11494 11512->11495 11515 6cf0e14f ___scrt_uninitialize_crt 11513->11515 11514 6cf0e18d WideCharToMultiByte 11514->11504 11515->11514 11517 6cf0e405 _unexpected 5 API calls 11516->11517 11518 6cf0e31c 11517->11518 11518->11512 11519 6cf0e690 11518->11519 11522 6cf0e320 11519->11522 11521 6cf0e69b 11521->11511 11523 6cf0e405 _unexpected 5 API calls 11522->11523 11524 6cf0e336 11523->11524 11524->11521 11525->11386 11536 6cf0dee8 11526->11536 11528 6cf0d77b 11529 6cf0dee8 29 API calls 11528->11529 11530 6cf0d79a 11529->11530 11531 6cf0d72f 11530->11531 11532 6cf0cc84 __freea 14 API calls 11530->11532 11533 6cf0d74d 11531->11533 11532->11531 11550 6cf0c8ab LeaveCriticalSection 11533->11550 11535 6cf0d73b 11535->10909 11537 6cf0def5 __InternalCxxFrameHandler 11536->11537 11538 6cf0def9 11536->11538 11537->11528 11539 6cf0df00 11538->11539 11543 6cf0df13 CallUnexpected 11538->11543 11540 6cf0cc14 __dosmaperr 14 API calls 11539->11540 11541 6cf0df05 11540->11541 11542 6cf0cb33 ___std_exception_copy 29 API calls 11541->11542 11542->11537 11543->11537 11544 6cf0df41 11543->11544 11545 6cf0df4a 11543->11545 11546 6cf0cc14 __dosmaperr 14 API calls 11544->11546 11545->11537 11547 6cf0cc14 __dosmaperr 14 API calls 11545->11547 11548 6cf0df46 11546->11548 11547->11548 11549 6cf0cb33 ___std_exception_copy 29 API calls 11548->11549 11549->11537 11550->11535 11552 6cf0becd 11551->11552 11553 6cf0bedb 11551->11553 11552->11553 11558 6cf0bef3 11552->11558 11554 6cf0cc14 __dosmaperr 14 API calls 11553->11554 11555 6cf0bee3 11554->11555 11556 6cf0cb33 ___std_exception_copy 29 API calls 11555->11556 11557 6cf0beed 11556->11557 11557->10851 11558->11557 11559 6cf0cc14 __dosmaperr 14 API calls 11558->11559 11559->11555 11561 6cf0ba60 11560->11561 11562 6cf0ba8f 11560->11562 11561->10856 11563 6cf0baa6 11562->11563 11564 6cf0cc84 __freea 14 API calls 11562->11564 11565 6cf0cc84 __freea 14 API calls 11563->11565 11564->11562 11565->11561 13002 2706549 13003 2706591 CloseHandle 13002->13003 13004 27065be 13003->13004 12772 6cf0aacd 12775 6cf0b027 12772->12775 12774 6cf0aae2 12776 6cf0b034 12775->12776 12777 6cf0b03b 12775->12777 12778 6cf0be99 ___std_exception_destroy 14 API calls 12776->12778 12777->12774 12778->12777 12832 6cf0ce4e 12835 6cf0ccd6 12832->12835 12836 6cf0cce4 12835->12836 12837 6cf0ccfe 12835->12837 12838 6cf0d428 14 API calls 12836->12838 12839 6cf0cd24 12837->12839 12840 6cf0cd05 12837->12840 12841 6cf0ccee 12838->12841 12842 6cf0e082 ___scrt_uninitialize_crt MultiByteToWideChar 12839->12842 12840->12841 12853 6cf0d47e 12840->12853 12844 6cf0cd33 12842->12844 12845 6cf0cd3a GetLastError 12844->12845 12848 6cf0d47e 15 API calls 12844->12848 12851 6cf0cd60 12844->12851 12846 6cf0cbba __dosmaperr 14 API calls 12845->12846 12847 6cf0cd46 12846->12847 12850 6cf0cc14 __dosmaperr 14 API calls 12847->12850 12848->12851 12849 6cf0e082 ___scrt_uninitialize_crt MultiByteToWideChar 12852 6cf0cd77 12849->12852 12850->12841 12851->12841 12851->12849 12852->12841 12852->12845 12854 6cf0d428 14 API calls 12853->12854 12855 6cf0d48c 12854->12855 12856 6cf0d4bd 15 API calls 12855->12856 12857 6cf0d49d 12856->12857 12857->12841 12299 6cf119b1 12300 6cf119d1 12299->12300 12303 6cf11a08 12300->12303 12302 6cf119fb 12304 6cf11a0f 12303->12304 12305 6cf11aae 12304->12305 12308 6cf11a2f 12304->12308 12306 6cf12ba7 20 API calls 12305->12306 12309 6cf11abe 12306->12309 12307 6cf12ad0 12307->12302 12308->12302 12308->12307 12310 6cf12ba7 20 API calls 12308->12310 12309->12302 12311 6cf12ace 12310->12311 12311->12302 12858 6cf0fe30 12861 6cf0fe47 12858->12861 12860 6cf0fe42 12862 6cf0fe55 12861->12862 12863 6cf0fe69 12861->12863 12864 6cf0cc14 __dosmaperr 14 API calls 12862->12864 12865 6cf0fe71 12863->12865 12866 6cf0fe83 12863->12866 12868 6cf0fe5a 12864->12868 12869 6cf0cc14 __dosmaperr 14 API calls 12865->12869 12867 6cf0fe81 12866->12867 12871 6cf0d31e 39 API calls 12866->12871 12867->12860 12872 6cf0cb33 ___std_exception_copy 29 API calls 12868->12872 12870 6cf0fe76 12869->12870 12873 6cf0cb33 ___std_exception_copy 29 API calls 12870->12873 12871->12867 12874 6cf0fe65 12872->12874 12873->12867 12874->12860 12875 6cf10230 12876 6cf0dc88 49 API calls 12875->12876 12877 6cf10235 12876->12877 12380 6cf0a933 12381 6cf0a941 ___except_validate_context_record 12380->12381 12382 6cf09a0e CallUnexpected 49 API calls 12381->12382 12383 6cf0a947 12382->12383 12384 6cf0a986 12383->12384 12387 6cf0a9ac 12383->12387 12388 6cf0a9a4 12383->12388 12384->12388 12389 6cf0ad52 12384->12389 12387->12388 12392 6cf0a3ca 12387->12392 12443 6cf0ad6a 12389->12443 12391 6cf0ad65 12391->12388 12396 6cf0a3ea __FrameHandler3::FrameUnwindToState 12392->12396 12393 6cf0a6fd 12394 6cf0bf19 CallUnexpected 39 API calls 12393->12394 12405 6cf0a703 12393->12405 12395 6cf0a76e 12394->12395 12396->12393 12399 6cf0a4cc 12396->12399 12401 6cf09a0e CallUnexpected 49 API calls 12396->12401 12397 6cf0a6d2 12397->12393 12398 6cf0a6d0 12397->12398 12472 6cf0a76f 12397->12472 12400 6cf09a0e CallUnexpected 49 API calls 12398->12400 12399->12397 12402 6cf0a555 12399->12402 12441 6cf0a4d2 type_info::operator== 12399->12441 12400->12393 12403 6cf0a44c 12401->12403 12409 6cf0a66c __InternalCxxFrameHandler 12402->12409 12457 6cf09ba3 12402->12457 12403->12405 12407 6cf09a0e CallUnexpected 49 API calls 12403->12407 12405->12388 12408 6cf0a45a 12407->12408 12411 6cf09a0e CallUnexpected 49 API calls 12408->12411 12409->12398 12410 6cf0a69c 12409->12410 12412 6cf0a6c1 12409->12412 12413 6cf0a6a6 12409->12413 12410->12398 12410->12413 12420 6cf0a462 12411->12420 12415 6cf0ae52 __InternalCxxFrameHandler 39 API calls 12412->12415 12414 6cf09a0e CallUnexpected 49 API calls 12413->12414 12416 6cf0a6b1 12414->12416 12417 6cf0a6ca 12415->12417 12418 6cf09a0e CallUnexpected 49 API calls 12416->12418 12417->12398 12419 6cf0a72d 12417->12419 12418->12441 12422 6cf09a0e CallUnexpected 49 API calls 12419->12422 12420->12393 12421 6cf09a0e CallUnexpected 49 API calls 12420->12421 12423 6cf0a4ab 12421->12423 12424 6cf0a732 12422->12424 12423->12399 12428 6cf09a0e CallUnexpected 49 API calls 12423->12428 12426 6cf09a0e CallUnexpected 49 API calls 12424->12426 12425 6cf0be5d _unexpected 39 API calls 12436 6cf0a70d __InternalCxxFrameHandler 12425->12436 12429 6cf0a73a 12426->12429 12427 6cf0a576 ___TypeMatch 12427->12409 12462 6cf0a34a 12427->12462 12430 6cf0a4b5 12428->12430 12492 6cf09d8f RtlUnwind 12429->12492 12433 6cf09a0e CallUnexpected 49 API calls 12430->12433 12434 6cf0a4c0 12433->12434 12452 6cf0ae52 12434->12452 12435 6cf0a74e 12438 6cf0ad52 __InternalCxxFrameHandler 49 API calls 12435->12438 12489 6cf0b046 12436->12489 12439 6cf0a75a __InternalCxxFrameHandler 12438->12439 12493 6cf0acc9 12439->12493 12441->12425 12441->12436 12444 6cf0ad76 __FrameHandler3::FrameUnwindToState 12443->12444 12445 6cf09a0e CallUnexpected 49 API calls 12444->12445 12451 6cf0ad91 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 12445->12451 12446 6cf0ae38 __FrameHandler3::FrameUnwindToState 49 API calls 12447 6cf0ae11 12446->12447 12448 6cf0bf19 CallUnexpected 39 API calls 12447->12448 12449 6cf0ae16 __FrameHandler3::FrameUnwindToState 12447->12449 12450 6cf0ae51 12448->12450 12449->12391 12451->12446 12451->12447 12453 6cf0aee6 12452->12453 12456 6cf0ae66 ___TypeMatch 12452->12456 12454 6cf0bf19 CallUnexpected 39 API calls 12453->12454 12455 6cf0aeeb 12454->12455 12456->12399 12460 6cf09bbf 12457->12460 12458 6cf09bf6 12458->12427 12459 6cf0bf19 CallUnexpected 39 API calls 12461 6cf09c11 12459->12461 12460->12458 12460->12459 12463 6cf0a35c 12462->12463 12465 6cf0a369 12462->12465 12505 6cf0a2b1 12463->12505 12509 6cf09d8f RtlUnwind 12465->12509 12467 6cf0a37e 12468 6cf0ad6a __FrameHandler3::FrameUnwindToState 49 API calls 12467->12468 12469 6cf0a38f __FrameHandler3::FrameUnwindToState 12468->12469 12510 6cf0aafa 12469->12510 12471 6cf0a3b7 __InternalCxxFrameHandler 12471->12427 12473 6cf0a785 12472->12473 12484 6cf0a89a 12472->12484 12474 6cf09a0e CallUnexpected 49 API calls 12473->12474 12475 6cf0a78c 12474->12475 12476 6cf0a793 EncodePointer 12475->12476 12477 6cf0a7ce 12475->12477 12480 6cf09a0e CallUnexpected 49 API calls 12476->12480 12478 6cf0a7eb 12477->12478 12479 6cf0a89f 12477->12479 12477->12484 12482 6cf09ba3 __InternalCxxFrameHandler 39 API calls 12478->12482 12481 6cf0bf19 CallUnexpected 39 API calls 12479->12481 12485 6cf0a7a1 12480->12485 12483 6cf0a8a4 12481->12483 12487 6cf0a802 12482->12487 12484->12398 12485->12477 12486 6cf09c6f __InternalCxxFrameHandler 49 API calls 12485->12486 12486->12477 12487->12484 12488 6cf0a34a __InternalCxxFrameHandler 50 API calls 12487->12488 12488->12487 12490 6cf0b08d RaiseException 12489->12490 12491 6cf0b060 12489->12491 12490->12419 12491->12490 12492->12435 12494 6cf0acd5 __EH_prolog3_catch 12493->12494 12495 6cf09a0e CallUnexpected 49 API calls 12494->12495 12496 6cf0acda 12495->12496 12497 6cf0acfd 12496->12497 12570 6cf0af7c 12496->12570 12498 6cf0bf19 CallUnexpected 39 API calls 12497->12498 12500 6cf0ad02 12498->12500 12506 6cf0a2bd __FrameHandler3::FrameUnwindToState 12505->12506 12524 6cf0a173 12506->12524 12508 6cf0a2e5 __InternalCxxFrameHandler ___AdjustPointer 12508->12465 12509->12467 12511 6cf0ab06 __FrameHandler3::FrameUnwindToState 12510->12511 12531 6cf09e13 12511->12531 12514 6cf09a0e CallUnexpected 49 API calls 12515 6cf0ab32 12514->12515 12516 6cf09a0e CallUnexpected 49 API calls 12515->12516 12517 6cf0ab3d 12516->12517 12518 6cf09a0e CallUnexpected 49 API calls 12517->12518 12519 6cf0ab48 12518->12519 12520 6cf09a0e CallUnexpected 49 API calls 12519->12520 12521 6cf0ab50 __InternalCxxFrameHandler 12520->12521 12536 6cf0ac4d 12521->12536 12523 6cf0ac35 12523->12471 12525 6cf0a17f __FrameHandler3::FrameUnwindToState 12524->12525 12526 6cf0bf19 CallUnexpected 39 API calls 12525->12526 12528 6cf0a1fa __InternalCxxFrameHandler ___AdjustPointer 12525->12528 12527 6cf0a2b0 __FrameHandler3::FrameUnwindToState 12526->12527 12529 6cf0a173 __InternalCxxFrameHandler 39 API calls 12527->12529 12528->12508 12530 6cf0a2e5 __InternalCxxFrameHandler ___AdjustPointer 12529->12530 12530->12508 12532 6cf09a0e CallUnexpected 49 API calls 12531->12532 12533 6cf09e24 12532->12533 12534 6cf09a0e CallUnexpected 49 API calls 12533->12534 12535 6cf09e2f 12534->12535 12535->12514 12545 6cf09e37 12536->12545 12538 6cf0ac5e 12539 6cf09a0e CallUnexpected 49 API calls 12538->12539 12540 6cf0ac64 12539->12540 12541 6cf09a0e CallUnexpected 49 API calls 12540->12541 12542 6cf0ac6f 12541->12542 12544 6cf0acb0 __InternalCxxFrameHandler 12542->12544 12562 6cf09784 12542->12562 12544->12523 12546 6cf09a0e CallUnexpected 49 API calls 12545->12546 12547 6cf09e40 12546->12547 12548 6cf09e56 12547->12548 12549 6cf09e48 12547->12549 12550 6cf09a0e CallUnexpected 49 API calls 12548->12550 12551 6cf09a0e CallUnexpected 49 API calls 12549->12551 12553 6cf09e5b 12550->12553 12552 6cf09e50 12551->12552 12552->12538 12553->12552 12554 6cf0bf19 CallUnexpected 39 API calls 12553->12554 12555 6cf09e7e 12554->12555 12556 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12555->12556 12558 6cf09e93 ___CxxFrameHandler 12556->12558 12557 6cf09e9e 12557->12538 12558->12557 12559 6cf09eed 12558->12559 12565 6cf09d8f RtlUnwind 12558->12565 12566 6cf09c6f 12559->12566 12563 6cf09a0e CallUnexpected 49 API calls 12562->12563 12564 6cf0978c 12563->12564 12564->12544 12565->12559 12567 6cf09c91 __InternalCxxFrameHandler 12566->12567 12569 6cf09c7f 12566->12569 12568 6cf09a0e CallUnexpected 49 API calls 12567->12568 12568->12569 12569->12557 12571 6cf09a0e CallUnexpected 49 API calls 12570->12571 12572 6cf0af82 12571->12572 12573 6cf0be5d _unexpected 39 API calls 12572->12573 12574 6cf0af98 12573->12574 12575 6cf0bd39 12576 6cf0965f ___scrt_uninitialize_crt 7 API calls 12575->12576 12577 6cf0bd40 12576->12577 13054 27061b9 13055 2706206 LoadLibraryW 13054->13055 13057 270623f 13055->13057 12878 6cf0b63b 12879 6cf0b652 12878->12879 12889 6cf0b64b 12878->12889 12880 6cf0b673 12879->12880 12881 6cf0b65d 12879->12881 12882 6cf0dc88 49 API calls 12880->12882 12883 6cf0cc14 __dosmaperr 14 API calls 12881->12883 12884 6cf0b679 12882->12884 12885 6cf0b662 12883->12885 12908 6cf0d66b GetModuleFileNameW 12884->12908 12887 6cf0cb33 ___std_exception_copy 29 API calls 12885->12887 12887->12889 12894 6cf0b6e1 12897 6cf0b778 39 API calls 12894->12897 12895 6cf0b6d5 12896 6cf0cc14 __dosmaperr 14 API calls 12895->12896 12898 6cf0b6da 12896->12898 12899 6cf0b6f7 12897->12899 12901 6cf0cc84 __freea 14 API calls 12898->12901 12899->12898 12900 6cf0b71b 12899->12900 12902 6cf0b732 12900->12902 12903 6cf0b73c 12900->12903 12901->12889 12904 6cf0cc84 __freea 14 API calls 12902->12904 12906 6cf0cc84 __freea 14 API calls 12903->12906 12905 6cf0b73a 12904->12905 12907 6cf0cc84 __freea 14 API calls 12905->12907 12906->12905 12907->12889 12909 6cf0d69a GetLastError 12908->12909 12910 6cf0d6ab 12908->12910 12911 6cf0cbba __dosmaperr 14 API calls 12909->12911 12930 6cf0d3e9 12910->12930 12913 6cf0d6a6 12911->12913 12916 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12913->12916 12917 6cf0b68c 12916->12917 12918 6cf0b778 12917->12918 12920 6cf0b79e 12918->12920 12922 6cf0b7fc 12920->12922 12966 6cf0dfb9 12920->12966 12921 6cf0b6bf 12924 6cf0b8ec 12921->12924 12922->12921 12923 6cf0dfb9 39 API calls 12922->12923 12923->12922 12925 6cf0b6cc 12924->12925 12926 6cf0b8fd 12924->12926 12925->12894 12925->12895 12926->12925 12927 6cf0cc27 _unexpected 14 API calls 12926->12927 12928 6cf0b926 12927->12928 12929 6cf0cc84 __freea 14 API calls 12928->12929 12929->12925 12931 6cf0d31e 39 API calls 12930->12931 12932 6cf0d3fb 12931->12932 12934 6cf0d40d 12932->12934 12956 6cf0e4ca 12932->12956 12935 6cf0d56e 12934->12935 12936 6cf0d58a 12935->12936 12937 6cf0d57b 12935->12937 12938 6cf0d592 12936->12938 12939 6cf0d5b7 12936->12939 12937->12913 12938->12937 12962 6cf0d630 12938->12962 12940 6cf0e13c ___scrt_uninitialize_crt WideCharToMultiByte 12939->12940 12942 6cf0d5c7 12940->12942 12943 6cf0d5e4 12942->12943 12944 6cf0d5ce GetLastError 12942->12944 12946 6cf0d5f5 12943->12946 12948 6cf0d630 14 API calls 12943->12948 12945 6cf0cbba __dosmaperr 14 API calls 12944->12945 12947 6cf0d5da 12945->12947 12946->12937 12949 6cf0d3c5 WideCharToMultiByte 12946->12949 12950 6cf0cc14 __dosmaperr 14 API calls 12947->12950 12948->12946 12951 6cf0d60b 12949->12951 12950->12937 12951->12937 12952 6cf0d60f GetLastError 12951->12952 12953 6cf0cbba __dosmaperr 14 API calls 12952->12953 12954 6cf0d61b 12953->12954 12955 6cf0cc14 __dosmaperr 14 API calls 12954->12955 12955->12937 12959 6cf0e2ec 12956->12959 12960 6cf0e405 _unexpected 5 API calls 12959->12960 12961 6cf0e302 12960->12961 12961->12934 12963 6cf0d63b 12962->12963 12964 6cf0cc14 __dosmaperr 14 API calls 12963->12964 12965 6cf0d644 12964->12965 12965->12937 12969 6cf0df69 12966->12969 12970 6cf0d31e 39 API calls 12969->12970 12971 6cf0df7c 12970->12971 12971->12920 11782 6cf0813e 11783 6cf08149 11782->11783 11784 6cf0817c 11782->11784 11786 6cf0816e 11783->11786 11787 6cf0814e 11783->11787 11785 6cf08298 __DllMainCRTStartup@12 86 API calls 11784->11785 11793 6cf08158 11785->11793 11794 6cf08191 11786->11794 11789 6cf08164 11787->11789 11791 6cf08153 11787->11791 11813 6cf0874b 11789->11813 11791->11793 11808 6cf0876a 11791->11808 11795 6cf0819d __FrameHandler3::FrameUnwindToState 11794->11795 11821 6cf087db 11795->11821 11797 6cf081a4 __DllMainCRTStartup@12 11798 6cf08290 11797->11798 11799 6cf081cb 11797->11799 11803 6cf08207 ___scrt_is_nonwritable_in_current_image CallUnexpected 11797->11803 11801 6cf0897a __DllMainCRTStartup@12 4 API calls 11798->11801 11832 6cf0873d 11799->11832 11802 6cf08297 11801->11802 11803->11793 11804 6cf081da __RTC_Initialize 11804->11803 11835 6cf0865b InitializeSListHead 11804->11835 11806 6cf081e8 11806->11803 11836 6cf08712 11806->11836 11897 6cf0be13 11808->11897 11986 6cf0964c 11813->11986 11816 6cf08754 11816->11793 11819 6cf08767 11819->11793 11820 6cf09657 21 API calls 11820->11816 11822 6cf087e4 11821->11822 11840 6cf08b38 IsProcessorFeaturePresent 11822->11840 11826 6cf087f5 11831 6cf087f9 11826->11831 11850 6cf0bdf6 11826->11850 11829 6cf08810 11829->11797 11830 6cf0965f ___scrt_uninitialize_crt 7 API calls 11830->11831 11831->11797 11891 6cf08814 11832->11891 11834 6cf08744 11834->11804 11835->11806 11837 6cf08717 ___scrt_release_startup_lock 11836->11837 11838 6cf08b38 IsProcessorFeaturePresent 11837->11838 11839 6cf08720 11837->11839 11838->11839 11839->11803 11841 6cf087f0 11840->11841 11842 6cf0962d 11841->11842 11853 6cf09afc 11842->11853 11845 6cf09636 11845->11826 11847 6cf0963e 11848 6cf09649 11847->11848 11849 6cf09b38 ___vcrt_uninitialize_locks DeleteCriticalSection 11847->11849 11848->11826 11849->11845 11882 6cf0e918 11850->11882 11854 6cf09b05 11853->11854 11856 6cf09b2e 11854->11856 11857 6cf09632 11854->11857 11867 6cf0a12c 11854->11867 11858 6cf09b38 ___vcrt_uninitialize_locks DeleteCriticalSection 11856->11858 11857->11845 11859 6cf09aae 11857->11859 11858->11857 11872 6cf0a03d 11859->11872 11862 6cf09ac3 11862->11847 11865 6cf09ade 11865->11847 11866 6cf09ae1 ___vcrt_uninitialize_ptd 6 API calls 11866->11862 11868 6cf09f52 ___vcrt_FlsFree 5 API calls 11867->11868 11869 6cf0a146 11868->11869 11870 6cf0a164 InitializeCriticalSectionAndSpinCount 11869->11870 11871 6cf0a14f 11869->11871 11870->11871 11871->11854 11873 6cf09f52 ___vcrt_FlsFree 5 API calls 11872->11873 11874 6cf0a057 11873->11874 11875 6cf0a070 TlsAlloc 11874->11875 11876 6cf09ab8 11874->11876 11876->11862 11877 6cf0a0ee 11876->11877 11878 6cf09f52 ___vcrt_FlsFree 5 API calls 11877->11878 11879 6cf0a108 11878->11879 11880 6cf0a123 TlsSetValue 11879->11880 11881 6cf09ad1 11879->11881 11880->11881 11881->11865 11881->11866 11883 6cf0e928 11882->11883 11884 6cf08802 11882->11884 11883->11884 11886 6cf0e7dc 11883->11886 11884->11829 11884->11830 11887 6cf0e7e3 11886->11887 11888 6cf0e826 GetStdHandle 11887->11888 11889 6cf0e888 11887->11889 11890 6cf0e839 GetFileType 11887->11890 11888->11887 11889->11883 11890->11887 11892 6cf08820 11891->11892 11893 6cf08824 11891->11893 11892->11834 11894 6cf0897a __DllMainCRTStartup@12 4 API calls 11893->11894 11896 6cf08831 ___scrt_release_startup_lock 11893->11896 11895 6cf0889a 11894->11895 11896->11834 11903 6cf0c50b 11897->11903 11900 6cf09657 11969 6cf099e3 11900->11969 11904 6cf0c515 11903->11904 11905 6cf0876f 11903->11905 11906 6cf0e567 _unexpected 6 API calls 11904->11906 11905->11900 11907 6cf0c51c 11906->11907 11907->11905 11908 6cf0e5a6 _unexpected 6 API calls 11907->11908 11909 6cf0c52f 11908->11909 11911 6cf0c3d2 11909->11911 11912 6cf0c3dd 11911->11912 11913 6cf0c3ed 11911->11913 11917 6cf0c3f3 11912->11917 11913->11905 11916 6cf0cc84 __freea 14 API calls 11916->11913 11918 6cf0c40e 11917->11918 11919 6cf0c408 11917->11919 11921 6cf0cc84 __freea 14 API calls 11918->11921 11920 6cf0cc84 __freea 14 API calls 11919->11920 11920->11918 11922 6cf0c41a 11921->11922 11923 6cf0cc84 __freea 14 API calls 11922->11923 11924 6cf0c425 11923->11924 11925 6cf0cc84 __freea 14 API calls 11924->11925 11926 6cf0c430 11925->11926 11927 6cf0cc84 __freea 14 API calls 11926->11927 11928 6cf0c43b 11927->11928 11929 6cf0cc84 __freea 14 API calls 11928->11929 11930 6cf0c446 11929->11930 11931 6cf0cc84 __freea 14 API calls 11930->11931 11932 6cf0c451 11931->11932 11933 6cf0cc84 __freea 14 API calls 11932->11933 11934 6cf0c45c 11933->11934 11935 6cf0cc84 __freea 14 API calls 11934->11935 11936 6cf0c467 11935->11936 11937 6cf0cc84 __freea 14 API calls 11936->11937 11938 6cf0c475 11937->11938 11943 6cf0c21f 11938->11943 11944 6cf0c22b __FrameHandler3::FrameUnwindToState 11943->11944 11959 6cf0c863 EnterCriticalSection 11944->11959 11948 6cf0c235 11949 6cf0cc84 __freea 14 API calls 11948->11949 11950 6cf0c25f 11948->11950 11949->11950 11960 6cf0c27e 11950->11960 11951 6cf0c28a 11952 6cf0c296 __FrameHandler3::FrameUnwindToState 11951->11952 11964 6cf0c863 EnterCriticalSection 11952->11964 11954 6cf0c2a0 11955 6cf0c4c0 _unexpected 14 API calls 11954->11955 11956 6cf0c2b3 11955->11956 11965 6cf0c2d3 11956->11965 11959->11948 11963 6cf0c8ab LeaveCriticalSection 11960->11963 11962 6cf0c26c 11962->11951 11963->11962 11964->11954 11968 6cf0c8ab LeaveCriticalSection 11965->11968 11967 6cf0c2c1 11967->11916 11968->11967 11970 6cf08774 11969->11970 11971 6cf099ed 11969->11971 11970->11793 11977 6cf0a0b3 11971->11977 11974 6cf0a0ee ___vcrt_FlsSetValue 6 API calls 11975 6cf09a03 11974->11975 11982 6cf099c7 11975->11982 11978 6cf09f52 ___vcrt_FlsFree 5 API calls 11977->11978 11979 6cf0a0cd 11978->11979 11980 6cf0a0e5 TlsGetValue 11979->11980 11981 6cf099f4 11979->11981 11980->11981 11981->11974 11983 6cf099d1 11982->11983 11985 6cf099de 11982->11985 11984 6cf0be99 ___std_exception_destroy 14 API calls 11983->11984 11983->11985 11984->11985 11985->11970 11992 6cf09a1c 11986->11992 11988 6cf08750 11988->11816 11989 6cf0be08 11988->11989 11990 6cf0c688 __dosmaperr 14 API calls 11989->11990 11991 6cf0875c 11990->11991 11991->11819 11991->11820 11993 6cf09a25 11992->11993 11994 6cf09a28 GetLastError 11992->11994 11993->11988 11995 6cf0a0b3 ___vcrt_FlsGetValue 6 API calls 11994->11995 11996 6cf09a3d 11995->11996 11997 6cf09a5c 11996->11997 11998 6cf09aa2 SetLastError 11996->11998 11999 6cf0a0ee ___vcrt_FlsSetValue 6 API calls 11996->11999 11997->11998 11998->11988 12000 6cf09a56 CallUnexpected 11999->12000 12000->11997 12001 6cf09a7e 12000->12001 12002 6cf0a0ee ___vcrt_FlsSetValue 6 API calls 12000->12002 12003 6cf0a0ee ___vcrt_FlsSetValue 6 API calls 12001->12003 12004 6cf09a92 12001->12004 12002->12001 12003->12004 12005 6cf0be99 ___std_exception_destroy 14 API calls 12004->12005 12005->11997 12972 6cf0aa3e 12975 6cf0aa71 12972->12975 12978 6cf0afc4 12975->12978 12979 6cf0afd1 ___std_exception_copy 12978->12979 12983 6cf0aa4c 12978->12983 12980 6cf0bebf ___std_exception_copy 29 API calls 12979->12980 12982 6cf0affe 12979->12982 12979->12983 12980->12982 12981 6cf0be99 ___std_exception_destroy 14 API calls 12981->12983 12982->12981 13005 6cf0d3a0 13006 6cf0d3aa 13005->13006 13007 6cf0d3ba 13006->13007 13008 6cf0cc84 __freea 14 API calls 13006->13008 13009 6cf0cc84 __freea 14 API calls 13007->13009 13008->13006 13010 6cf0d3c1 13009->13010 12176 6cf0c822 12177 6cf0c82d 12176->12177 12178 6cf0e5e8 6 API calls 12177->12178 12179 6cf0c856 12177->12179 12181 6cf0c852 12177->12181 12178->12177 12182 6cf0c87a 12179->12182 12183 6cf0c887 12182->12183 12185 6cf0c8a6 12182->12185 12184 6cf0c891 DeleteCriticalSection 12183->12184 12184->12184 12184->12185 12185->12181 12578 6cf0f126 12579 6cf0f055 ___scrt_uninitialize_crt 68 API calls 12578->12579 12580 6cf0f12e 12579->12580 12588 6cf111d4 12580->12588 12582 6cf0f133 12598 6cf1127f 12582->12598 12585 6cf0f15d 12586 6cf0cc84 __freea 14 API calls 12585->12586 12587 6cf0f168 12586->12587 12589 6cf111e0 __FrameHandler3::FrameUnwindToState 12588->12589 12602 6cf0c863 EnterCriticalSection 12589->12602 12591 6cf11257 12607 6cf11276 12591->12607 12594 6cf1122b DeleteCriticalSection 12596 6cf0cc84 __freea 14 API calls 12594->12596 12597 6cf111eb 12596->12597 12597->12591 12597->12594 12603 6cf11972 12597->12603 12599 6cf11296 12598->12599 12600 6cf0f142 DeleteCriticalSection 12598->12600 12599->12600 12601 6cf0cc84 __freea 14 API calls 12599->12601 12600->12582 12600->12585 12601->12600 12602->12597 12604 6cf11985 ___std_exception_copy 12603->12604 12610 6cf1184d 12604->12610 12606 6cf11991 ___std_exception_copy 12606->12597 12695 6cf0c8ab LeaveCriticalSection 12607->12695 12609 6cf11263 12609->12582 12611 6cf11859 __FrameHandler3::FrameUnwindToState 12610->12611 12612 6cf11863 12611->12612 12613 6cf11886 12611->12613 12614 6cf0cab6 ___std_exception_copy 29 API calls 12612->12614 12620 6cf1187e 12613->12620 12621 6cf0f172 EnterCriticalSection 12613->12621 12614->12620 12616 6cf118a4 12622 6cf118e4 12616->12622 12618 6cf118b1 12636 6cf118dc 12618->12636 12620->12606 12621->12616 12623 6cf118f1 12622->12623 12624 6cf11914 12622->12624 12625 6cf0cab6 ___std_exception_copy 29 API calls 12623->12625 12626 6cf0ef87 ___scrt_uninitialize_crt 64 API calls 12624->12626 12634 6cf1190c 12624->12634 12625->12634 12627 6cf1192c 12626->12627 12628 6cf1127f 14 API calls 12627->12628 12629 6cf11934 12628->12629 12630 6cf0f3d7 ___scrt_uninitialize_crt 29 API calls 12629->12630 12631 6cf11940 12630->12631 12639 6cf1216c 12631->12639 12634->12618 12635 6cf0cc84 __freea 14 API calls 12635->12634 12694 6cf0f186 LeaveCriticalSection 12636->12694 12638 6cf118e2 12638->12620 12640 6cf12195 12639->12640 12645 6cf11947 12639->12645 12641 6cf121e4 12640->12641 12643 6cf121bc 12640->12643 12642 6cf0cab6 ___std_exception_copy 29 API calls 12641->12642 12642->12645 12646 6cf120db 12643->12646 12645->12634 12645->12635 12647 6cf120e7 __FrameHandler3::FrameUnwindToState 12646->12647 12654 6cf104a5 EnterCriticalSection 12647->12654 12649 6cf12126 12668 6cf12160 12649->12668 12650 6cf120f5 12650->12649 12655 6cf1220f 12650->12655 12654->12650 12671 6cf1057c 12655->12671 12657 6cf12225 12684 6cf104eb 12657->12684 12659 6cf1221f 12659->12657 12660 6cf12257 12659->12660 12661 6cf1057c ___scrt_uninitialize_crt 29 API calls 12659->12661 12660->12657 12662 6cf1057c ___scrt_uninitialize_crt 29 API calls 12660->12662 12663 6cf1224e 12661->12663 12664 6cf12263 CloseHandle 12662->12664 12665 6cf1057c ___scrt_uninitialize_crt 29 API calls 12663->12665 12664->12657 12666 6cf1226f GetLastError 12664->12666 12665->12660 12666->12657 12667 6cf1227d ___scrt_uninitialize_crt 12667->12649 12693 6cf104c8 LeaveCriticalSection 12668->12693 12670 6cf12149 12670->12645 12672 6cf10589 12671->12672 12673 6cf1059e 12671->12673 12674 6cf0cc01 __dosmaperr 14 API calls 12672->12674 12676 6cf0cc01 __dosmaperr 14 API calls 12673->12676 12678 6cf105c3 12673->12678 12675 6cf1058e 12674->12675 12677 6cf0cc14 __dosmaperr 14 API calls 12675->12677 12679 6cf105ce 12676->12679 12681 6cf10596 12677->12681 12678->12659 12680 6cf0cc14 __dosmaperr 14 API calls 12679->12680 12682 6cf105d6 12680->12682 12681->12659 12683 6cf0cb33 ___std_exception_copy 29 API calls 12682->12683 12683->12681 12685 6cf10561 12684->12685 12686 6cf104fa 12684->12686 12687 6cf0cc14 __dosmaperr 14 API calls 12685->12687 12686->12685 12691 6cf10524 12686->12691 12688 6cf10566 12687->12688 12689 6cf0cc01 __dosmaperr 14 API calls 12688->12689 12690 6cf10551 12689->12690 12690->12667 12691->12690 12692 6cf1054b SetStdHandle 12691->12692 12692->12690 12693->12670 12694->12638 12695->12609 13011 6cf0ab90 13012 6cf09a0e CallUnexpected 49 API calls 13011->13012 13013 6cf0ab98 __FrameHandler3::FrameUnwindToState 13012->13013 13014 6cf0ad6a __FrameHandler3::FrameUnwindToState 49 API calls 13013->13014 13015 6cf0ac14 13014->13015 13016 6cf0ac4d __InternalCxxFrameHandler 50 API calls 13015->13016 13017 6cf0ac35 13016->13017 12186 6cf08413 ___scrt_dllmain_exception_filter 12312 6cf0d193 12313 6cf0d1a4 12312->12313 12314 6cf0d1bc 12313->12314 12315 6cf0cc84 __freea 14 API calls 12313->12315 12316 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12314->12316 12315->12314 12317 6cf0d31c 12316->12317 12788 6cf0a294 12789 6cf0a2ab 12788->12789 12790 6cf0bf19 CallUnexpected 39 API calls 12789->12790 12791 6cf0a2b0 __FrameHandler3::FrameUnwindToState 12790->12791 12792 6cf0a173 __InternalCxxFrameHandler 39 API calls 12791->12792 12793 6cf0a2e5 __InternalCxxFrameHandler ___AdjustPointer 12792->12793 12794 6cf0aa9d 12795 6cf0b027 ___std_exception_destroy 14 API calls 12794->12795 12796 6cf0aaac 12795->12796 13058 6cf0e71d GetStartupInfoW 13059 6cf0e7d7 13058->13059 13060 6cf0e743 13058->13060 13060->13059 13061 6cf10407 30 API calls 13060->13061 13062 6cf0e76b 13061->13062 13062->13059 13063 6cf0e79b GetFileType 13062->13063 13063->13062 13064 6cf12300 13067 6cf1231e 13064->13067 13066 6cf12316 13071 6cf12323 13067->13071 13068 6cf12be3 15 API calls 13069 6cf1254f 13068->13069 13069->13066 13070 6cf123b8 13070->13066 13071->13068 13071->13070 12696 6cf0bd03 12699 6cf0bae7 12696->12699 12698 6cf0bd08 12700 6cf0baf3 __EH_prolog3 12699->12700 12709 6cf0bab1 12700->12709 12705 6cf0ba82 14 API calls 12706 6cf0bb1f 12705->12706 12707 6cf0ba82 14 API calls 12706->12707 12708 6cf0bb2a __DllMainCRTStartup@12 12707->12708 12708->12698 12710 6cf0bac3 12709->12710 12711 6cf0bac9 12709->12711 12712 6cf0ba82 14 API calls 12710->12712 12713 6cf0bacc 12711->12713 12712->12711 12714 6cf0bae4 12713->12714 12715 6cf0bade 12713->12715 12714->12705 12716 6cf0ba82 14 API calls 12715->12716 12716->12714 13018 6cf0ab86 13021 6cf0ad08 13018->13021 13020 6cf0ab8e 13022 6cf0ad4e 13021->13022 13023 6cf0ad18 13021->13023 13022->13020 13023->13022 13024 6cf09a0e CallUnexpected 49 API calls 13023->13024 13025 6cf0ad44 13024->13025 13025->13020 12318 6cf0cd88 12319 6cf0cdb2 12318->12319 12320 6cf0cd96 12318->12320 12321 6cf0cdd5 12319->12321 12322 6cf0cdb9 12319->12322 12341 6cf0d428 12320->12341 12325 6cf0e13c ___scrt_uninitialize_crt WideCharToMultiByte 12321->12325 12324 6cf0cda0 12322->12324 12345 6cf0d442 12322->12345 12327 6cf0cde5 12325->12327 12328 6cf0ce02 12327->12328 12329 6cf0cdec GetLastError 12327->12329 12330 6cf0ce13 12328->12330 12332 6cf0d442 15 API calls 12328->12332 12350 6cf0cbba 12329->12350 12330->12324 12355 6cf0d3c5 12330->12355 12332->12330 12336 6cf0cc14 __dosmaperr 14 API calls 12336->12324 12337 6cf0ce2d GetLastError 12338 6cf0cbba __dosmaperr 14 API calls 12337->12338 12339 6cf0ce39 12338->12339 12340 6cf0cc14 __dosmaperr 14 API calls 12339->12340 12340->12324 12342 6cf0d43b 12341->12342 12343 6cf0d433 12341->12343 12342->12324 12344 6cf0cc84 __freea 14 API calls 12343->12344 12344->12342 12346 6cf0d428 14 API calls 12345->12346 12347 6cf0d450 12346->12347 12358 6cf0d4bd 12347->12358 12361 6cf0cc01 12350->12361 12352 6cf0cbc5 __dosmaperr 12353 6cf0cc14 __dosmaperr 14 API calls 12352->12353 12354 6cf0cbd8 12353->12354 12354->12336 12356 6cf0e13c ___scrt_uninitialize_crt WideCharToMultiByte 12355->12356 12357 6cf0ce29 12356->12357 12357->12324 12357->12337 12359 6cf0f19a 15 API calls 12358->12359 12360 6cf0d45e 12359->12360 12360->12324 12362 6cf0c688 __dosmaperr 14 API calls 12361->12362 12363 6cf0cc06 12362->12363 12363->12352 12797 6cf0be89 12798 6cf0be8c 12797->12798 12799 6cf0bf19 CallUnexpected 39 API calls 12798->12799 12800 6cf0be98 12799->12800 12801 6cf0d28b 12802 6cf0d2a5 12801->12802 12803 6cf0d2bb FindClose 12801->12803 12811 6cf0f840 12802->12811 12805 6cf0d2ca 12803->12805 12808 6cf0d2d5 12803->12808 12807 6cf0cc84 __freea 14 API calls 12805->12807 12807->12808 12809 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12808->12809 12810 6cf0d31c 12809->12810 12812 6cf0f87a 12811->12812 12813 6cf0cc14 __dosmaperr 14 API calls 12812->12813 12818 6cf0f88e 12812->12818 12814 6cf0f883 12813->12814 12815 6cf0cb33 ___std_exception_copy 29 API calls 12814->12815 12815->12818 12816 6cf08130 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12817 6cf0d2b8 12816->12817 12817->12803 12818->12816 13072 6cf0e70b GetProcessHeap 12024 6cf0e88c 12025 6cf0e898 __FrameHandler3::FrameUnwindToState 12024->12025 12036 6cf0c863 EnterCriticalSection 12025->12036 12027 6cf0e89f 12037 6cf10407 12027->12037 12034 6cf0e7dc 2 API calls 12035 6cf0e8bd 12034->12035 12056 6cf0e8e3 12035->12056 12036->12027 12038 6cf10413 __FrameHandler3::FrameUnwindToState 12037->12038 12039 6cf1043d 12038->12039 12040 6cf1041c 12038->12040 12059 6cf0c863 EnterCriticalSection 12039->12059 12042 6cf0cc14 __dosmaperr 14 API calls 12040->12042 12043 6cf10421 12042->12043 12044 6cf0cb33 ___std_exception_copy 29 API calls 12043->12044 12045 6cf0e8ae 12044->12045 12045->12035 12050 6cf0e726 GetStartupInfoW 12045->12050 12046 6cf10475 12067 6cf1049c 12046->12067 12047 6cf10449 12047->12046 12060 6cf10357 12047->12060 12051 6cf0e743 12050->12051 12052 6cf0e7d7 12050->12052 12051->12052 12053 6cf10407 30 API calls 12051->12053 12052->12034 12055 6cf0e76b 12053->12055 12054 6cf0e79b GetFileType 12054->12055 12055->12052 12055->12054 12076 6cf0c8ab LeaveCriticalSection 12056->12076 12058 6cf0e8ce 12059->12047 12061 6cf0cc27 _unexpected 14 API calls 12060->12061 12062 6cf10369 12061->12062 12066 6cf10376 12062->12066 12070 6cf0e5e8 12062->12070 12063 6cf0cc84 __freea 14 API calls 12065 6cf103cb 12063->12065 12065->12047 12066->12063 12075 6cf0c8ab LeaveCriticalSection 12067->12075 12069 6cf104a3 12069->12045 12071 6cf0e405 _unexpected 5 API calls 12070->12071 12072 6cf0e604 12071->12072 12073 6cf0e622 InitializeCriticalSectionAndSpinCount 12072->12073 12074 6cf0e60d 12072->12074 12073->12074 12074->12062 12075->12069 12076->12058

                                                    Executed Functions

                                                    Function 6CF03950 Relevance: 67.1, APIs: 24, Strings: 12, Instructions: 4057nativememorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Virtual$Memory$Write$Thread$AllocateCreate$AllocCloseContextHandle$ProcessReadResume
                                                    • String ID: 7=t$)@\}$)@\}$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$hqNknylUZCBDNGCDZ2RkZFettORkJGRBs4JDYyVk5KSUVbLH50HDKOZkpIEBKOZkpLLDJWTkpJxpnKC20CQgtvRpoRWyx6Eyw2MlZOSknFRVs8bog7QjweQDdEctD6SGo0$kernel32.dll$ntdll.dll$o~c$uL<
                                                    • API String ID: 2838827027-2109832365
                                                    • Opcode ID: 95ff1c05e9c7f756c59facf96d3d025535dc8cd2a1a0622112a8ad49bc82d44f
                                                    • Instruction ID: e6f5b924c09248dba1b9f4e9ab175b09b984836cb32894c52de22bde4cbe8e53
                                                    • Opcode Fuzzy Hash: 95ff1c05e9c7f756c59facf96d3d025535dc8cd2a1a0622112a8ad49bc82d44f
                                                    • Instruction Fuzzy Hash: 2A73E076B04654CFCB18CE2CC9E57CA7BF2AB8A315F108199E409EB760D6359E89DF40
                                                    Function 6CF01210 Relevance: 45.1, APIs: 18, Strings: 7, Instructions: 1311filememoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 559 6cf01210-6cf0122e 560 6cf01238-6cf01249 559->560 561 6cf01b32-6cf01b7e 560->561 562 6cf0124f-6cf0125f 560->562 563 6cf02680 561->563 565 6cf025b2-6cf025bf 562->565 566 6cf01265-6cf01275 562->566 563->560 565->563 568 6cf0127b-6cf0128b 566->568 569 6cf0189d-6cf018a7 566->569 571 6cf01291-6cf012a1 568->571 572 6cf02667-6cf02676 CloseHandle 568->572 569->563 574 6cf01d43-6cf01db4 571->574 575 6cf012a7-6cf012b7 571->575 572->563 574->563 577 6cf01f04-6cf01f0e 575->577 578 6cf012bd-6cf012cd 575->578 577->563 580 6cf017e1-6cf01898 GetCurrentProcess 578->580 581 6cf012d3-6cf012e3 578->581 580->563 583 6cf012e9-6cf012f9 581->583 584 6cf0214c-6cf0217d 581->584 586 6cf0199a-6cf01a16 583->586 587 6cf012ff-6cf0130f 583->587 584->563 586->563 589 6cf01315-6cf01325 587->589 590 6cf022fd-6cf02307 587->590 592 6cf025c4-6cf025d1 589->592 593 6cf0132b-6cf0133b 589->593 590->563 592->563 595 6cf01341-6cf01351 593->595 596 6cf0207c-6cf020ac 593->596 598 6cf02111-6cf02147 595->598 599 6cf01357-6cf01367 595->599 596->563 598->563 601 6cf01eac-6cf01eff CloseHandle 599->601 602 6cf0136d-6cf0137d 599->602 601->563 604 6cf01383-6cf01393 602->604 605 6cf023ff-6cf02413 602->605 607 6cf01f22-6cf01f8b 604->607 608 6cf01399-6cf013a9 604->608 605->563 607->563 610 6cf025f4-6cf0264b MapViewOfFile 608->610 611 6cf013af-6cf013bf 608->611 610->563 613 6cf013c5-6cf013d5 611->613 614 6cf0176b-6cf017dc 611->614 616 6cf01b1b-6cf01b2d 613->616 617 6cf013db-6cf013eb 613->617 614->563 616->563 619 6cf01ca1-6cf01d20 617->619 620 6cf013f1-6cf01401 617->620 619->563 622 6cf023f0-6cf023fa 620->622 623 6cf01407-6cf01417 620->623 622->563 625 6cf01a2a-6cf01ae9 K32GetModuleInformation GetModuleFileNameA CreateFileA 623->625 626 6cf0141d-6cf0142d 623->626 625->563 628 6cf02650-6cf02662 626->628 629 6cf01433-6cf01443 626->629 628->563 631 6cf02325-6cf02369 629->631 632 6cf01449-6cf01459 629->632 631->563 634 6cf02452-6cf0249e 632->634 635 6cf0145f-6cf0146f 632->635 634->563 637 6cf01f90-6cf02053 MapViewOfFile 635->637 638 6cf01475-6cf01485 635->638 637->563 640 6cf021b8-6cf021e1 638->640 641 6cf0148b-6cf0149b 638->641 640->563 643 6cf014a1-6cf014b1 641->643 644 6cf02182-6cf021b3 call 6cf0b0c0 641->644 647 6cf014b7-6cf014c7 643->647 648 6cf01db9-6cf01e2a 643->648 644->563 651 6cf024fb-6cf02505 647->651 652 6cf014cd-6cf014dd 647->652 648->563 651->563 654 6cf01b83-6cf01c3c CreateFileMappingA 652->654 655 6cf014e3-6cf014f3 652->655 654->563 657 6cf01915-6cf0191f 655->657 658 6cf014f9-6cf01509 655->658 657->563 660 6cf02058-6cf02062 658->660 661 6cf0150f-6cf0151f 658->661 660->563 663 6cf020b1-6cf020c5 661->663 664 6cf01525-6cf01535 661->664 663->563 666 6cf0252a-6cf02546 GetCurrentProcess 664->666 667 6cf0153b-6cf0154b 664->667 666->563 669 6cf01551-6cf01561 667->669 670 6cf01aee-6cf01b07 667->670 672 6cf01924-6cf01995 669->672 673 6cf01567-6cf01577 669->673 670->563 672->563 675 6cf0230c-6cf02320 673->675 676 6cf0157d-6cf0158d 673->676 675->563 678 6cf01593-6cf015a3 676->678 679 6cf020ca-6cf020ee 676->679 681 6cf015a9-6cf015b9 678->681 682 6cf0254b-6cf0255b 678->682 679->563 684 6cf02519-6cf02529 call 6cf08130 681->684 685 6cf015bf-6cf015cf 681->685 682->563 689 6cf015d5-6cf015e5 685->689 690 6cf025d6-6cf025ef CloseHandle 685->690 692 6cf01c50-6cf01c9c 689->692 693 6cf015eb-6cf015fb 689->693 690->563 692->563 695 6cf01601-6cf01611 693->695 696 6cf01e3e-6cf01ea7 693->696 698 6cf01f13-6cf01f1d 695->698 699 6cf01617-6cf01627 695->699 696->563 698->563 701 6cf01d25-6cf01d3e 699->701 702 6cf0162d-6cf0163d 699->702 701->563 704 6cf01643-6cf01653 702->704 705 6cf022e6-6cf022f8 702->705 707 6cf02418-6cf0244d CloseHandle * 2 704->707 708 6cf01659-6cf01669 704->708 705->563 707->563 710 6cf0236e-6cf023eb 708->710 711 6cf0166f-6cf0167f 708->711 710->563 713 6cf01685-6cf01695 711->713 714 6cf02067-6cf02077 711->714 716 6cf0169b-6cf016ab 713->716 717 6cf01e2f-6cf01e39 713->717 714->563 719 6cf01c41-6cf01c4b 716->719 720 6cf016b1-6cf016c1 716->720 717->563 719->563 722 6cf020f3-6cf0210c 720->722 723 6cf016c7-6cf016d7 720->723 722->563 725 6cf0250a-6cf02514 723->725 726 6cf016dd-6cf016ed 723->726 725->563 728 6cf024a3-6cf024f6 CloseHandle 726->728 729 6cf016f3-6cf01703 726->729 728->563 731 6cf02560-6cf025ad CreateFileMappingA 729->731 732 6cf01709-6cf01719 729->732 731->563 734 6cf01a1b-6cf01a25 732->734 735 6cf0171f-6cf0172f 732->735 734->563 737 6cf01735-6cf01745 735->737 738 6cf01b0c-6cf01b16 735->738 740 6cf021e6-6cf022e1 VirtualProtect call 6cf08eb0 VirtualProtect 737->740 741 6cf0174b-6cf0175b 737->741 738->563 740->563 745 6cf01761-6cf01766 741->745 746 6cf018ac-6cf01910 call 6cf08d50 GetModuleHandleA 741->746 745->563 746->563
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandle$Close$CreateModule$MappingProtectVirtual$CurrentInformationNameProcessView
                                                    • String ID: .text$0x:$@$B>j$B>j$n^<j$n^<j
                                                    • API String ID: 1334470580-1042743706
                                                    • Opcode ID: 44943460dedd2ae7c49eb2fb90fef77c64762d29f461de15c19c80b545039ebe
                                                    • Instruction ID: ce26b82a9cdc39210c837e059a7a10a755700033c06a29e8d97c58ae7d81b78a
                                                    • Opcode Fuzzy Hash: 44943460dedd2ae7c49eb2fb90fef77c64762d29f461de15c19c80b545039ebe
                                                    • Instruction Fuzzy Hash: 47B2EB76B042158FCB04CF7CC8A93DEBBF1AB46714F108699E409DB792D6369988EF41
                                                    Function 6CF03250 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 346COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 800 6cf03250-6cf03269 801 6cf03270-6cf0327b 800->801 802 6cf03281-6cf0328e 801->802 803 6cf03659-6cf0369a 801->803 806 6cf03294-6cf032a1 802->806 807 6cf0369f-6cf03705 802->807 805 6cf03747 803->805 805->801 809 6cf032a7-6cf032b4 806->809 810 6cf0353d-6cf03544 806->810 807->805 812 6cf032ba-6cf032c7 809->812 813 6cf033ce-6cf0344b GetModuleHandleW call 6cf02690 call 6cf08d50 809->813 810->805 817 6cf03734-6cf0373b 812->817 818 6cf032cd-6cf032da 812->818 813->805 817->805 821 6cf032e0-6cf032ed 818->821 822 6cf0358e-6cf035f4 818->822 825 6cf03582-6cf03589 821->825 826 6cf032f3-6cf03300 821->826 822->805 825->805 828 6cf03306-6cf03313 826->828 829 6cf035f9-6cf03648 826->829 831 6cf03498-6cf034e1 828->831 832 6cf03319-6cf03326 828->832 829->805 831->805 834 6cf0332c-6cf03339 832->834 835 6cf0355d-6cf0356a 832->835 837 6cf03450-6cf03493 NtQueryInformationProcess 834->837 838 6cf0333f-6cf0334c 834->838 835->805 837->805 840 6cf03352-6cf0335f 838->840 841 6cf03549-6cf03558 838->841 843 6cf03365-6cf03372 840->843 844 6cf034e6-6cf03538 840->844 841->805 846 6cf03725-6cf0372f 843->846 847 6cf03378-6cf03385 843->847 844->805 846->805 849 6cf0338b-6cf03398 847->849 850 6cf0356f-6cf0357d 847->850 852 6cf0364d-6cf03654 849->852 853 6cf0339e-6cf033ab 849->853 850->805 852->805 855 6cf033b1-6cf033be 853->855 856 6cf0370a-6cf03724 call 6cf08130 853->856 859 6cf03740 855->859 860 6cf033c4-6cf033c9 855->860 859->805 860->805
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?), ref: 6CF033EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID: NtQueryInformationProcess$ntdll.dll$s!4
                                                    • API String ID: 4139908857-1094640038
                                                    • Opcode ID: c6ff037493a0dee1b9194b2de5dda0fc66b50168cf6cf261069d924ffeac59b4
                                                    • Instruction ID: 1d1453e6037b3e5b4898827a639da626f966c61a69d141f3f244e3d31c49f65b
                                                    • Opcode Fuzzy Hash: c6ff037493a0dee1b9194b2de5dda0fc66b50168cf6cf261069d924ffeac59b4
                                                    • Instruction Fuzzy Hash: 02C1DF76B14245CFCB04CEBCD9E5BDEBBF1AB46728F218119E810EBB50C735A9499B01
                                                    Function 027008AC Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 952 27008ac-27008b3 953 27008b9-27008c3 952->953 954 2700f7c-2700f8a 952->954 953->954 955 27008c9-27008d9 953->955 958 2700f8c 954->958 959 2700f8e 954->959 955->954 957 27008df-27008e9 955->957 957->954 960 27008ef-27008ff 957->960 958->959 962 2700f90 959->962 963 2700f92 959->963 960->954 961 2700905-270090f 960->961 961->954 964 2700915-270092a 961->964 962->963 965 2700f93-2700f94 963->965 966 2700f96 963->966 970 2700f75-2700f7b 964->970 971 27008a5 964->971 965->966 968 2700f98-2700f99 966->968 969 2700f9a 966->969 968->969 972 2700f9c 969->972 973 2700f9e 969->973 971->970 972->973 974 2700fa2 973->974 975 2700f9f-2700fa1 973->975 976 2700fa4-2700fa5 974->976 977 2700fa6 974->977 975->974 976->977 978 2700fa7-2700fa8 977->978 979 2700faa 977->979 978->979 980 2700fab-2700fad 979->980 981 2700fae-2700fb2 979->981 980->981 983 2700fb4 981->983 984 2700fb6 981->984 983->984 985 2700fc5 983->985 986 2700fb8-2700fb9 984->986 987 2700fba 984->987 988 2700fc6 985->988 986->987 989 2700fbc 987->989 990 2700fbe 987->990 991 2700fc8-2700fc9 988->991 992 2700fca 988->992 989->990 993 2700fc0-2700fc1 990->993 994 2700fc2 990->994 991->992 996 2700fcc-2700fcd 992->996 997 2700fce 992->997 993->994 994->988 995 2700fc3-2700fc4 994->995 995->985 996->997 998 2700fd0-2700fd1 997->998 999 2700fd2 997->999 998->999 1000 2700fd4-2700fd5 999->1000 1001 2700fd6 999->1001 1000->1001 1002 2700fd8 1001->1002 1003 2700fda 1001->1003 1002->1003 1004 2700fdc-2700fdd 1003->1004 1005 2700fde 1003->1005 1004->1005 1006 2700fe0-2700fe1 1005->1006 1007 2700fe2 1005->1007 1006->1007 1008 2700fe4-2700fe5 1007->1008 1009 2700fe6 1007->1009 1008->1009 1010 2700fe8-2700fe9 1009->1010 1011 2700fea 1009->1011 1010->1011 1012 2700fec-2700fed 1011->1012 1013 2700fee 1011->1013 1012->1013 1014 2700ff0 1013->1014 1015 2700ff2 1013->1015 1014->1015 1016 2700ff4-2700ff5 1015->1016 1017 2700ff6 1015->1017 1016->1017 1018 2700ff7-2700ff9 1017->1018 1019 2700ffa 1017->1019 1018->1019 1020 2700ffc 1019->1020 1021 2700ffe 1019->1021 1020->1021 1022 2701002 1021->1022 1023 2700fff-2701000 1021->1023 1025 2701004-2701005 1022->1025 1026 2701006 1022->1026 1023->1022 1024 270100e 1023->1024 1029 2701010 1024->1029 1030 2701012 1024->1030 1025->1026 1027 2701008-2701009 1026->1027 1028 270100a 1026->1028 1027->1028 1028->1024 1031 270100b-270100d 1028->1031 1032 2701014-2701015 1030->1032 1033 2701016 1030->1033 1031->1024 1032->1033 1034 2701018 1033->1034 1035 270101a 1033->1035 1034->1035 1036 2701023-2701024 1034->1036 1037 270101c 1035->1037 1038 270101e 1035->1038 1039 2701026 1036->1039 1037->1038 1040 270102c-2701046 1037->1040 1041 2701020-2701021 1038->1041 1042 2701022 1038->1042 1043 2701028 1039->1043 1044 270102a-270102b 1039->1044 1045 2701049-2701065 call 27000e4 1040->1045 1041->1042 1042->1036 1042->1039 1043->1045 1046 2701029 1043->1046 1044->1040 1049 270106a 1045->1049 1046->1044 1050 270106f-2701084 1049->1050 1051 2701186-27011cf call 27000f4 1050->1051 1052 270108a 1050->1052 1076 27011d1 call 2701ac0 1051->1076 1077 27011d1 call 2701b8d 1051->1077 1078 27011d1 call 2701b1e 1051->1078 1052->1049 1052->1051 1053 2701091-27010bf 1052->1053 1054 27010c1-27010d9 call 2701464 1052->1054 1055 2701102-2701106 1052->1055 1056 2701119-2701136 1052->1056 1057 270113b-2701146 1052->1057 1058 270114b-270116a 1052->1058 1059 270116f-2701181 1052->1059 1053->1050 1072 27010df-27010fd 1054->1072 1060 2701108-270110d 1055->1060 1061 270110f 1055->1061 1056->1050 1057->1050 1058->1050 1059->1050 1068 2701114 1060->1068 1061->1068 1068->1050 1072->1050 1075 27011d7-27011e0 1076->1075 1077->1075 1078->1075
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te^q$Te^q
                                                    • API String ID: 0-3743469327
                                                    • Opcode ID: d76d287e1c91526bc86b23b4787ad0cc1799e821f4bdb84b4300c8caefda9572
                                                    • Instruction ID: 162690f9dbd91ba28e98dbf3af57cf40d91344c740ceb0d5ef10f2a5d25f934f
                                                    • Opcode Fuzzy Hash: d76d287e1c91526bc86b23b4787ad0cc1799e821f4bdb84b4300c8caefda9572
                                                    • Instruction Fuzzy Hash: 38B10830A04285CFC709CB74C4D9A9AFBF2BF8B354F15849AD045AB2B6C734A94DDB51
                                                    Function 02703B8D Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1179 2703b8d-2703b8f 1180 27040d1-27040e6 1179->1180 1181 2703b95-2703b9c 1179->1181 1187 27040e8 1180->1187 1188 27040ea 1180->1188 1181->1180 1182 2703ba2-2703bb4 1181->1182 1185 2703b42 1182->1185 1186 27040b6-27040b9 call 2701038 1182->1186 1185->1186 1194 27040be-27040d0 1186->1194 1187->1188 1190 27040ec 1188->1190 1191 27040ee 1188->1191 1190->1191 1192 27040f0 1191->1192 1193 27040f2 1191->1193 1192->1193 1195 27040f4 1193->1195 1196 27040f6 1193->1196 1195->1196 1198 27040f7-27040f9 1196->1198 1199 27040fa 1196->1199 1198->1199 1200 27040fc 1199->1200 1201 27040fe 1199->1201 1200->1201 1202 2704100 1201->1202 1203 2704102 1201->1203 1202->1203 1204 2704104 1203->1204 1205 2704106 1203->1205 1204->1205 1206 2704107-2704109 1205->1206 1207 270410a 1205->1207 1206->1207 1208 270410e 1206->1208 1207->1208 1209 270410c-270410d 1207->1209 1210 2704110 1208->1210 1211 2704112 1208->1211 1209->1208 1210->1211 1212 2704113-2704114 1211->1212 1213 2704116 1211->1213 1212->1213 1214 2704151 1212->1214 1215 2704118 1213->1215 1216 270411a 1213->1216 1217 2704152 1214->1217 1215->1216 1218 270411c-270411d 1216->1218 1219 270411e 1216->1219 1220 2704154-2704155 1217->1220 1221 2704156 1217->1221 1218->1219 1222 2704120 1219->1222 1223 2704122 1219->1223 1220->1221 1224 2704158 1221->1224 1225 270415a 1221->1225 1222->1223 1226 2704123-2704124 1223->1226 1227 2704126 1223->1227 1224->1225 1228 270415c 1225->1228 1229 270415e 1225->1229 1226->1227 1230 2704128-2704129 1227->1230 1231 270412a 1227->1231 1228->1229 1232 2704160 1229->1232 1233 2704162 1229->1233 1230->1231 1234 270412c-270412d 1231->1234 1235 270412e 1231->1235 1232->1233 1238 2704164 1233->1238 1239 2704166 1233->1239 1234->1235 1236 2704132 1235->1236 1237 270412f-2704131 1235->1237 1240 2704134 1236->1240 1241 2704136 1236->1241 1237->1236 1238->1239 1242 2704168 1239->1242 1243 270416a-2704174 1239->1243 1240->1241 1245 2704137-2704138 1241->1245 1246 270413a 1241->1246 1242->1243 1244 2704176-270417a 1243->1244 1247 270417c 1244->1247 1248 270417e-270418b 1244->1248 1245->1244 1245->1246 1249 270413c 1246->1249 1250 270413e 1246->1250 1247->1248 1251 27041c3-27041c6 1247->1251 1252 270418e-2704193 1248->1252 1249->1250 1253 2704140-2704141 1250->1253 1254 2704142 1250->1254 1255 27041c8 1251->1255 1256 27041ca-2704233 1251->1256 1259 270419e 1252->1259 1253->1254 1257 2704144 1254->1257 1258 2704146 1254->1258 1255->1256 1267 27041a6-27041bb 1256->1267 1257->1258 1260 2704148-2704149 1258->1260 1261 270414a 1258->1261 1262 27041a1 1259->1262 1260->1261 1264 270414c 1261->1264 1265 270414e 1261->1265 1262->1267 1264->1252 1266 270414d 1264->1266 1265->1214 1265->1217 1266->1265 1268 27041c1 1267->1268 1269 270434a-2704351 1267->1269 1268->1251 1268->1255 1268->1262 1268->1269 1271 27042f2-2704345 1268->1271 1272 2704238-270424a 1268->1272 1273 270426e-27042c3 1268->1273 1274 270424f-2704253 1268->1274 1271->1267 1272->1267 1296 27042c9-27042d7 1273->1296 1275 2704255-270425a 1274->1275 1276 270425c 1274->1276 1278 2704261-2704269 1275->1278 1276->1278 1278->1267 1298 27042e0 1296->1298 1299 27042d9-27042de 1296->1299 1300 27042e5-27042ed 1298->1300 1299->1300 1300->1267
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $^q
                                                    • API String ID: 0-388095546
                                                    • Opcode ID: 3393a71e2a9f2f5f51e054f8a5a423b0df22f3542826901f53b7db99d39ff761
                                                    • Instruction ID: 9129afa5e546ca6be781066b8c2758162b99686cd8f996402f49c9abdce31541
                                                    • Opcode Fuzzy Hash: 3393a71e2a9f2f5f51e054f8a5a423b0df22f3542826901f53b7db99d39ff761
                                                    • Instruction Fuzzy Hash: 59813A31B04244DFC7199B3588F475A7BF3AFEA244B14849AC251FB2E9DA30DC4E8751
                                                    Function 0270245C Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1301 270245c-270246b 1302 2702395-27023aa 1301->1302 1303 27023b0 1302->1303 1304 2702669-2702670 1302->1304 1303->1304 1305 2702470-270247b 1303->1305 1306 2702632-270263b 1303->1306 1307 2702435-270243b 1303->1307 1308 27025f5-27025fb 1303->1308 1309 27023b7-27023bd 1303->1309 1310 27023f7-270240d 1303->1310 1311 2702578-270257b 1303->1311 1312 27025b9-27025ca 1303->1312 1313 27024bc-27024c2 1303->1313 1314 27024e2-27024e8 1303->1314 1315 27024a3-27024b7 1303->1315 1316 2702567-2702573 1303->1316 1317 27023e9-27023f5 1303->1317 1318 270252e-2702531 1303->1318 1319 2702390 1303->1319 1320 2702493-270249e 1303->1320 1321 2702455-2702458 1303->1321 1322 2702555-2702562 1303->1322 1323 2702657-2702664 1303->1323 1324 27023da-27023e7 1303->1324 1325 270261d-270262d 1303->1325 1326 270259e-27025b4 1303->1326 1327 2702502-270250b 1303->1327 1328 2702544-2702550 1303->1328 1329 270258e-2702599 1303->1329 1330 270260e-2702618 1303->1330 1331 27025cf-27025d5 1303->1331 1332 270240f-2702415 1303->1332 1359 270247d call 27027f8 1305->1359 1360 270247d call 27027e8 1305->1360 1334 2702673-2702682 1306->1334 1338 270263d-2702652 1306->1338 1307->1334 1341 2702441-2702450 1307->1341 1336 2702604 1308->1336 1337 27025fd-2702602 1308->1337 1309->1334 1339 27023c3-27023d8 1309->1339 1310->1302 1347 2702584 1311->1347 1348 270257d-2702582 1311->1348 1312->1302 1313->1334 1342 27024c8-27024dd 1313->1342 1314->1334 1343 27024ee-27024fd 1314->1343 1315->1302 1316->1302 1317->1302 1345 2702533-2702538 1318->1345 1346 270253a 1318->1346 1319->1302 1320->1302 1321->1301 1322->1302 1323->1302 1324->1302 1325->1302 1326->1302 1327->1334 1344 2702511-2702529 1327->1344 1328->1302 1329->1302 1330->1302 1331->1334 1335 27025db-27025f0 1331->1335 1332->1334 1340 270241b-2702430 1332->1340 1335->1302 1352 2702609 1336->1352 1337->1352 1338->1302 1339->1302 1340->1302 1341->1302 1342->1302 1343->1302 1344->1302 1354 270253f 1345->1354 1346->1354 1356 2702589 1347->1356 1348->1356 1351 2702483-270248e 1351->1302 1352->1302 1354->1302 1356->1302 1359->1351 1360->1351
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: cM%
                                                    • API String ID: 0-1864208640
                                                    • Opcode ID: bf3e2f84ab07ab75d7ad4b2193c030c48f22c7ee000bc2ed7b767d1081e4ca22
                                                    • Instruction ID: 20a925c68058398d46529e923fbedac4f6fe526a6ccb45080c82623d0ecf091c
                                                    • Opcode Fuzzy Hash: bf3e2f84ab07ab75d7ad4b2193c030c48f22c7ee000bc2ed7b767d1081e4ca22
                                                    • Instruction Fuzzy Hash: 6C71B233618211CFC305CF64C5D8429F7E5BB4A3007A29996D902EF6E2CB34ED99CB96
                                                    Function 02705C98 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1361 2705c98-2705c9e 1362 2705ca0 1361->1362 1363 2705ca2 1361->1363 1362->1363 1364 2705ca4-2705ca5 1363->1364 1365 2705ca6-2705cf9 call 27002ac call 27002bc 1363->1365 1364->1365 1374 2705cfc 1365->1374 1375 2705d01-2705d16 1374->1375 1376 2705d9b-2705dbc 1375->1376 1377 2705d1c 1375->1377 1385 2705dfe 1376->1385 1386 2705dbe 1376->1386 1377->1374 1377->1376 1378 2705d30-2705d7c 1377->1378 1379 2705e70 1377->1379 1380 2705df1-2705dfc 1377->1380 1381 2705e96-2705ea7 1377->1381 1382 2705eb6-2705ec0 1377->1382 1383 2705ddb 1377->1383 1384 2705d7e-2705d96 1377->1384 1377->1385 1377->1386 1387 2705e60-2705e6b 1377->1387 1388 2705d23-2705d2e 1377->1388 1389 2705ea9-2705eb4 1377->1389 1390 2705e4a-2705e5e 1377->1390 1391 2705e2d 1377->1391 1392 2705e6d 1377->1392 1378->1375 1396 2705e75-2705e84 1379->1396 1395 2705dc3-2705dd2 1380->1395 1381->1396 1397 2705de4-2705def 1383->1397 1384->1375 1385->1391 1386->1395 1394 2705e32-2705e41 1387->1394 1388->1375 1389->1396 1390->1394 1391->1394 1392->1379 1394->1392 1398 2705e43 1394->1398 1395->1385 1403 2705dd4 1395->1403 1396->1382 1401 2705e86 1396->1401 1397->1395 1398->1379 1398->1381 1398->1382 1398->1387 1398->1389 1398->1390 1398->1391 1398->1392 1401->1379 1401->1381 1401->1382 1401->1389 1403->1379 1403->1380 1403->1381 1403->1382 1403->1383 1403->1385 1403->1386 1403->1387 1403->1389 1403->1390 1403->1391 1403->1392
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te^q
                                                    • API String ID: 0-671973202
                                                    • Opcode ID: 5259748a9ee6c38e52e446e04c7925c7b42970d10081f10afe18cba038a24649
                                                    • Instruction ID: 930b4d200060f9d2a44024dbffd57f870a0c96e8e9a77e2fc70131729cd8dad1
                                                    • Opcode Fuzzy Hash: 5259748a9ee6c38e52e446e04c7925c7b42970d10081f10afe18cba038a24649
                                                    • Instruction Fuzzy Hash: 1451D335B24215CFCB44CB68D9D9A9EBBF1BB88710B614866E402EB3A1CB35DD04CF81
                                                    Function 02704167 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1409 2704167-270417a 1411 270417c 1409->1411 1412 270417e-2704193 1409->1412 1411->1412 1413 27041c3-27041c6 1411->1413 1417 270419e 1412->1417 1415 27041c8 1413->1415 1416 27041ca-2704233 1413->1416 1415->1416 1420 27041a6-27041bb 1416->1420 1418 27041a1 1417->1418 1418->1420 1421 27041c1 1420->1421 1422 270434a-2704351 1420->1422 1421->1413 1421->1415 1421->1418 1421->1422 1424 27042f2-2704345 1421->1424 1425 2704238-270424a 1421->1425 1426 270426e-27042c3 1421->1426 1427 270424f-2704253 1421->1427 1424->1420 1425->1420 1449 27042c9-27042d7 1426->1449 1428 2704255-270425a 1427->1428 1429 270425c 1427->1429 1431 2704261-2704269 1428->1431 1429->1431 1431->1420 1451 27042e0 1449->1451 1452 27042d9-27042de 1449->1452 1453 27042e5-27042ed 1451->1453 1452->1453 1453->1420
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $^q
                                                    • API String ID: 0-388095546
                                                    • Opcode ID: a58dc6bad1c67f9213ca49c3812cd3ce1519a53fbec8613569c4d084fdcf5461
                                                    • Instruction ID: a1525dc67a3ca8bde0b4ec45cb9e4f59f8bb2a9f6ccd079e8d6ce8307521f58f
                                                    • Opcode Fuzzy Hash: a58dc6bad1c67f9213ca49c3812cd3ce1519a53fbec8613569c4d084fdcf5461
                                                    • Instruction Fuzzy Hash: 09411631B443458FC754DB7988A4B6B7AF7ABC9200B14886AD106EB3E5DE34DC098792
                                                    Function 02705908 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1c6f2eb5ad3aa9a8ad51fbd9b5ad793ed0e936255e1d68967d7a186988b8278
                                                    • Instruction ID: 1dace1294b7d0fa3434204b6fc18fd215a7f8145afe6fe93f6fc40c5181aa2ef
                                                    • Opcode Fuzzy Hash: c1c6f2eb5ad3aa9a8ad51fbd9b5ad793ed0e936255e1d68967d7a186988b8278
                                                    • Instruction Fuzzy Hash: DD410431F64206CB87049B7999C512EBBE6BB8926079184379406FB2E0DB34CD4ECF92
                                                    Function 027058F9 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c473523b6f21c4a767ee6ac3b35ed9dcd28940ff65fd2a475476d65ef3d5e421
                                                    • Instruction ID: 50248c96365d8ebfc1d799268ab84acdcc1946ce35bb0a24d4a08d572dabd367
                                                    • Opcode Fuzzy Hash: c473523b6f21c4a767ee6ac3b35ed9dcd28940ff65fd2a475476d65ef3d5e421
                                                    • Instruction Fuzzy Hash: BB41F231E28206CBC7449B7599D516ABBF5BB8A260792442B8406FB2E0DB34CD4ECF52
                                                    Function 027058E1 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 97672cd403cc894026b3d299cb0a1353dbf6b7f274f0de05520a673b0ce0b372
                                                    • Instruction ID: 6dff0c2372a0a6393d201a4090a33b53243511b40ba1d24f32e94baef653f29c
                                                    • Opcode Fuzzy Hash: 97672cd403cc894026b3d299cb0a1353dbf6b7f274f0de05520a673b0ce0b372
                                                    • Instruction Fuzzy Hash: 31413831F28206CBC7089B75D9D513ABBF5BB8A26079254278442FB2E0DB24CD4ECF42
                                                    Function 02701464 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1a3a88fbad692c34ec30262be6d16c7fa0626ec92e7631354b47b10806ec2d7
                                                    • Instruction ID: 43e924c4b1418a01f918f3abdfde759253bdc614f35ed6db4f33bc2a7ae8e44c
                                                    • Opcode Fuzzy Hash: b1a3a88fbad692c34ec30262be6d16c7fa0626ec92e7631354b47b10806ec2d7
                                                    • Instruction Fuzzy Hash: 29310631B08215CFC704CAA5D9D127EBBE6ABC8300B558567F44AEB2A1D634CE15CB50
                                                    Function 6CF08298 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __RTC_Initialize.LIBCMT ref: 6CF082DF
                                                    • ___scrt_uninitialize_crt.LIBCMT ref: 6CF082F9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Initialize___scrt_uninitialize_crt
                                                    • String ID:
                                                    • API String ID: 2442719207-0
                                                    • Opcode ID: a23a8b3ba139f5ff24682dd03cbe4d6d0bb56a3bace0041928a63ba19e8aa692
                                                    • Instruction ID: 96346bbb5ad38200ab0f8984aecd7e038a801b9677b0db727ca30421bf75b585
                                                    • Opcode Fuzzy Hash: a23a8b3ba139f5ff24682dd03cbe4d6d0bb56a3bace0041928a63ba19e8aa692
                                                    • Instruction Fuzzy Hash: B441A272F05624EFDB218F69C850B9E7B75EF81FA9F21811BE81567B40C7708905ABA0
                                                    Function 6CF08348 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 863 6cf08348-6cf08359 call 6cf08af0 866 6cf0836a-6cf08371 863->866 867 6cf0835b-6cf08361 863->867 869 6cf08373-6cf08376 866->869 870 6cf0837d-6cf08391 dllmain_raw 866->870 867->866 868 6cf08363-6cf08365 867->868 871 6cf08443-6cf08452 868->871 869->870 872 6cf08378-6cf0837b 869->872 873 6cf08397-6cf083a8 dllmain_crt_dispatch 870->873 874 6cf0843a-6cf08441 870->874 875 6cf083ae-6cf083c0 call 6cf07a40 872->875 873->874 873->875 874->871 878 6cf083c2-6cf083c4 875->878 879 6cf083e9-6cf083eb 875->879 878->879 882 6cf083c6-6cf083e4 call 6cf07a40 call 6cf08298 dllmain_raw 878->882 880 6cf083f2-6cf08403 dllmain_crt_dispatch 879->880 881 6cf083ed-6cf083f0 879->881 880->874 883 6cf08405-6cf08437 dllmain_raw 880->883 881->874 881->880 882->879 883->874
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: dllmain_raw$dllmain_crt_dispatch
                                                    • String ID:
                                                    • API String ID: 3136044242-0
                                                    • Opcode ID: 966b261325569abd9401bc0c7dfe32806b553b8d39193f441af943d41af43d3e
                                                    • Instruction ID: d690e8c25ab11b54cc87c6aa809df0b96a39950c8bebabef416ca8f09e8ff633
                                                    • Opcode Fuzzy Hash: 966b261325569abd9401bc0c7dfe32806b553b8d39193f441af943d41af43d3e
                                                    • Instruction Fuzzy Hash: 00217F72F01625EBDB218F55CD50AAF3B69EB81E98B11811BF81567B10C3308D01ABA0
                                                    Function 6CF08191 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __RTC_Initialize.LIBCMT ref: 6CF081DE
                                                      • Part of subcall function 6CF0865B: InitializeSListHead.KERNEL32(6CFD1430,6CF081E8,6CF19450,00000010,6CF08179,?,?,?,6CF083A1,?,00000001,?,?,00000001,?,6CF19498), ref: 6CF08660
                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF08248
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                    • String ID:
                                                    • API String ID: 3231365870-0
                                                    • Opcode ID: 8f7eea875d67ccb7ca5991508bad4fbe5bce549ff70ef00e55b85f2402b10479
                                                    • Instruction ID: 9b25dc17a1c2b8684a49564e4efe0616c6d650fb2c08785a1a9ac77a79c0ae0e
                                                    • Opcode Fuzzy Hash: 8f7eea875d67ccb7ca5991508bad4fbe5bce549ff70ef00e55b85f2402b10479
                                                    • Instruction Fuzzy Hash: 4A21D131B49A41AADF11ABB494207DD3B709B53F7DF120417C88127EC2CB624448F666
                                                    Function 6CF0E7DC Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 932 6cf0e7dc-6cf0e7e1 933 6cf0e7e3-6cf0e7fb 932->933 934 6cf0e809-6cf0e812 933->934 935 6cf0e7fd-6cf0e801 933->935 937 6cf0e824 934->937 938 6cf0e814-6cf0e817 934->938 935->934 936 6cf0e803-6cf0e807 935->936 939 6cf0e87e-6cf0e882 936->939 942 6cf0e826-6cf0e833 GetStdHandle 937->942 940 6cf0e820-6cf0e822 938->940 941 6cf0e819-6cf0e81e 938->941 939->933 943 6cf0e888-6cf0e88b 939->943 940->942 941->942 944 6cf0e860-6cf0e872 942->944 945 6cf0e835-6cf0e837 942->945 944->939 946 6cf0e874-6cf0e877 944->946 945->944 947 6cf0e839-6cf0e842 GetFileType 945->947 946->939 947->944 948 6cf0e844-6cf0e84d 947->948 949 6cf0e855-6cf0e858 948->949 950 6cf0e84f-6cf0e853 948->950 949->939 951 6cf0e85a-6cf0e85e 949->951 950->939 951->939
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 6CF0E828
                                                    • GetFileType.KERNELBASE(00000000), ref: 6CF0E83A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileHandleType
                                                    • String ID:
                                                    • API String ID: 3000768030-0
                                                    • Opcode ID: d8b26688d68915b06a9729c0634f2033f673aad7a6b348196f98c2f9ee9c472e
                                                    • Instruction ID: 3e286214ed3dc2517750f1f011b2ef8ec0822e9113d556e09a2b6d74d0e75603
                                                    • Opcode Fuzzy Hash: d8b26688d68915b06a9729c0634f2033f673aad7a6b348196f98c2f9ee9c472e
                                                    • Instruction Fuzzy Hash: 6F118172B047514AC7304E3E8CA87127AE4BB97A78B340B5ED0F686DF1D630E485A6D5
                                                    Function 0270537C Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1162 270537c-270620a 1165 2706212-270623d LoadLibraryW 1162->1165 1166 270620c-270620f 1162->1166 1167 2706246-2706263 1165->1167 1168 270623f-2706245 1165->1168 1166->1165 1168->1167
                                                    APIs
                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 02706230
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 735a634169b3197ee9cb8874de1765f89ce8ea61a7d36e47568cd76491ab835b
                                                    • Instruction ID: 38905b8bdee7e5b243787d0cf270971880f24bdbc20348e5f192031d7031ec99
                                                    • Opcode Fuzzy Hash: 735a634169b3197ee9cb8874de1765f89ce8ea61a7d36e47568cd76491ab835b
                                                    • Instruction Fuzzy Hash: 1D2133B1D00659DBCB10CF9AC584A9EFBF8FB48320F10812AE818B7344C374A954CFA4
                                                    Function 027061B9 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1171 27061b9-270620a 1173 2706212-270623d LoadLibraryW 1171->1173 1174 270620c-270620f 1171->1174 1175 2706246-2706263 1173->1175 1176 270623f-2706245 1173->1176 1174->1173 1176->1175
                                                    APIs
                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 02706230
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 36615e19ecbcecc383bd89d7f7c06fdebf6451ab8e3b8a8d7a29a4938913aa46
                                                    • Instruction ID: d0d9fc7ebc45ef879dd2946b29ff82545e6073f0754a916686fa3b132d504f02
                                                    • Opcode Fuzzy Hash: 36615e19ecbcecc383bd89d7f7c06fdebf6451ab8e3b8a8d7a29a4938913aa46
                                                    • Instruction Fuzzy Hash: 902124B5D00659CFCB10CFAAD584A9EFBF4FB48320F14826AD819B7254C374A944CFA5
                                                    Function 02705364 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,00000000,?,00000000,?,027059F7), ref: 027065AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: dae378dd9cd63d8aa043a1a88f7aa61605685f5e130867658516b1cc0e336f79
                                                    • Instruction ID: 5e56bce1f382e40723eef8b90f4d257938dd9eaef2af074bcf5a7150f7f3654a
                                                    • Opcode Fuzzy Hash: dae378dd9cd63d8aa043a1a88f7aa61605685f5e130867658516b1cc0e336f79
                                                    • Instruction Fuzzy Hash: F41158B1800359CFCB20DF9AC4847DEBBF4EB48320F208469D658A7354D778A944CFA4
                                                    Function 02706549 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,00000000,?,00000000,?,027059F7), ref: 027065AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: b3ea271bbcc4cf847a2df4565c2da8dc52e1ea8479fa358952815d91cec67de4
                                                    • Instruction ID: 05bd25f98b619638ce2cd0260593e5ee1d9d854599b7c5191a1f8db852d714c5
                                                    • Opcode Fuzzy Hash: b3ea271bbcc4cf847a2df4565c2da8dc52e1ea8479fa358952815d91cec67de4
                                                    • Instruction Fuzzy Hash: 471163B6900259CFDB10CF99C1847DEFBF0EF48324F25846AC558A7295C778A944CFA4

                                                    Non-executed Functions

                                                    Function 6CF0897A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CF08986
                                                    • IsDebuggerPresent.KERNEL32 ref: 6CF08A52
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF08A6B
                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 6CF08A75
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                    • String ID:
                                                    • API String ID: 254469556-0
                                                    • Opcode ID: 04d2f0014bea10fff87d25d8b39f4fbcae080bd3283530f041c6940612734378
                                                    • Instruction ID: 0b6aef02f217a5a1d82b4b4b695671aaa270a84fe08439bf575ea0485966d7b9
                                                    • Opcode Fuzzy Hash: 04d2f0014bea10fff87d25d8b39f4fbcae080bd3283530f041c6940612734378
                                                    • Instruction Fuzzy Hash: 5C3125B5E01318DBDF61DFA5D8497CDBBB8AF08704F1041AAE40CAB640EB709A84DF55
                                                    Function 6CF02690 Relevance: 4.6, Strings: 3, Instructions: 828COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6(r$H{ri$H{ri
                                                    • API String ID: 0-4259995277
                                                    • Opcode ID: 38c287d779489e53af8452fe314d2d80cf626801caf536d6a255c6e4f1f89f9f
                                                    • Instruction ID: 0719aaa987a850bf7b62d33ec4504aa73a19d42be72fa6d0978429c0ea4b6855
                                                    • Opcode Fuzzy Hash: 38c287d779489e53af8452fe314d2d80cf626801caf536d6a255c6e4f1f89f9f
                                                    • Instruction Fuzzy Hash: C552F237B453058FCB04CEBCC6A47DE7BF2AB46724F20951AD814EB7A8D2369949DB10
                                                    Function 6CF0C937 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF0CA2F
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF0CA39
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF0CA46
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: 7aa826e095b657acb88b698f64f8b3f964b95554c85a1c3f0d27ab6f7beb1224
                                                    • Instruction ID: 0ab447142239436fc80f4c3e735a3e86dac0118bb0e607f076243ec672cabfb1
                                                    • Opcode Fuzzy Hash: 7aa826e095b657acb88b698f64f8b3f964b95554c85a1c3f0d27ab6f7beb1224
                                                    • Instruction Fuzzy Hash: A231E574A11218ABCF21DF25D8897CCBBB8BF08714F5042DAE41CA7250EB709F859F55
                                                    Function 6CF07A40 Relevance: 3.0, Strings: 2, Instructions: 485COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NuRE$NuRE
                                                    • API String ID: 0-1824372278
                                                    • Opcode ID: 355cba62beeda8138c1756e8d9f1fa872ba3202e217889d991a433356c8e6cfc
                                                    • Instruction ID: 5937478ace55f0653c3e952680dc491f46a8c5ad8fc57e7c7d1c263866fe11e0
                                                    • Opcode Fuzzy Hash: 355cba62beeda8138c1756e8d9f1fa872ba3202e217889d991a433356c8e6cfc
                                                    • Instruction Fuzzy Hash: 19F11372B45205CFCF04CEBCE4A47DE7FF2AB4A724F20A11BE411EBB94C62999459B50
                                                    Function 6CF13595 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF13590,?,?,00000008,?,?,6CF13193,00000000), ref: 6CF137C2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: ae3c1b484a009dbc7600e39fd2876c8a577e58948346f8dfcb88ccc3a5129062
                                                    • Instruction ID: b832bb75160d6113d4e816d92bc0160cf028945260c4db227f5a5a96aa5d7fda
                                                    • Opcode Fuzzy Hash: ae3c1b484a009dbc7600e39fd2876c8a577e58948346f8dfcb88ccc3a5129062
                                                    • Instruction Fuzzy Hash: 84B14A72618608DFD705CF28C486B557BE0FF45368F25869CE8A9CFAA1C335E999CB40
                                                    Function 6CF08B38 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF08B4E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor
                                                    • String ID:
                                                    • API String ID: 2325560087-0
                                                    • Opcode ID: 6eaecf96dda365cda942448cd05f7cf170e70b9c69da5c77c33919f62f2cc31f
                                                    • Instruction ID: 8fcb648e3d2f70dc755e767924224e9d2b54d8b79c1ab26a312f31c89139c340
                                                    • Opcode Fuzzy Hash: 6eaecf96dda365cda942448cd05f7cf170e70b9c69da5c77c33919f62f2cc31f
                                                    • Instruction Fuzzy Hash: ED5179B1F222458BEB05CF64C8957AEBBF0FB4A718F24826AC411EB645D774E940CF90
                                                    Function 02703820 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: z9
                                                    • API String ID: 0-90298862
                                                    • Opcode ID: 25be93cb7537ad3e1a23a9f8c946d5ad2cabfdfa1a3f62999f6f2686b539376a
                                                    • Instruction ID: 3f415cc127219a62df39f692084df9884be431adad59a0825009eb006546ab22
                                                    • Opcode Fuzzy Hash: 25be93cb7537ad3e1a23a9f8c946d5ad2cabfdfa1a3f62999f6f2686b539376a
                                                    • Instruction Fuzzy Hash: 7141B535F2425ACFCB40CB59C9C656EFBF5AB88204B1581ABE505EB3D1C234D905CBA5
                                                    Function 02703830 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: z9
                                                    • API String ID: 0-90298862
                                                    • Opcode ID: 1380e296f27a7bbbd864d2cc6af202da468b5dc03a716b2ccef2f3ead24f8513
                                                    • Instruction ID: 4d436939a0a6fdcc8507c89987eb2037dbe248d0d865d6bd0dc65c2133cc729e
                                                    • Opcode Fuzzy Hash: 1380e296f27a7bbbd864d2cc6af202da468b5dc03a716b2ccef2f3ead24f8513
                                                    • Instruction Fuzzy Hash: 6841A035F2025ACB8B44CE59C9C696EFBF5BB88600B1581ABE509FB391C234DD05CBA5
                                                    Function 02702D00 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: w Gr
                                                    • API String ID: 0-4006791179
                                                    • Opcode ID: 920e64d591e4c76226246a01bb96d2aadfc8efaeab61b721d0058836d9e0f300
                                                    • Instruction ID: 3604d747ada5dcbc12d54e96ae68e5566ce4c3ea13454f3b082fc464290d6051
                                                    • Opcode Fuzzy Hash: 920e64d591e4c76226246a01bb96d2aadfc8efaeab61b721d0058836d9e0f300
                                                    • Instruction Fuzzy Hash: E241D532604706CFC754CB6AD8C9A6AB7F6FF85310B00C82AD46ADBA65D234ED48CF41
                                                    Function 6CF0E70B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: 276445313ba5e9fb5b3f88b4137e6ab2f3666fdd7153ae4fe751c136120992ee
                                                    • Instruction ID: dede987cd5ce631b6f99cc8b3b74c62d5b79c7d22727dbfe0e92a9e7d7ae9275
                                                    • Opcode Fuzzy Hash: 276445313ba5e9fb5b3f88b4137e6ab2f3666fdd7153ae4fe751c136120992ee
                                                    • Instruction Fuzzy Hash: A7A01130B202028B8B888E32820A30C3BFABAA32A0302C028A000C2200EB208080AF00
                                                    Function 02704B48 Relevance: .4, Instructions: 425COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1678731648.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2700000_file.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa5f6deb17974c19bab1d0799858b93363f200b3d0f96928c19113ddfa8c2691
                                                    • Instruction ID: fe7cfadc255df512e68d9609fe2fe0243dbe47aa05444f958d20d053c98c7b0f
                                                    • Opcode Fuzzy Hash: fa5f6deb17974c19bab1d0799858b93363f200b3d0f96928c19113ddfa8c2691
                                                    • Instruction Fuzzy Hash: E3F1A170B14115CBCB08CF69C5E5A6FFBE6AFC9204B14856AE116EB3A5C770ED49CB80
                                                    Function 6CF03750 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1cfb3b7495a84274a64a25da1ddd9ecbc248c61e551b46d1c0c38cfe4fe9910e
                                                    • Instruction ID: a96317ae8505730de4ce7435ba61a6482a30ebf308841d943f5f0f559c5fe8c9
                                                    • Opcode Fuzzy Hash: 1cfb3b7495a84274a64a25da1ddd9ecbc248c61e551b46d1c0c38cfe4fe9910e
                                                    • Instruction Fuzzy Hash: 22518FB6B141069FCB04CEBCC995AEFBBF2AB46330F248316A924E77D4D235D6058A44
                                                    Function 6CF0A3CA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • type_info::operator==.LIBVCRUNTIME ref: 6CF0A4E9
                                                    • ___TypeMatch.LIBVCRUNTIME ref: 6CF0A5F7
                                                    • _UnwindNestedFrames.LIBCMT ref: 6CF0A749
                                                    • CallUnexpected.LIBVCRUNTIME ref: 6CF0A764
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                    • String ID: csm$csm$csm
                                                    • API String ID: 2751267872-393685449
                                                    • Opcode ID: d1b23a8a309e533de8f745e82cec9f7797b432f5c574a03ef7a876071106aa31
                                                    • Instruction ID: 76beab775faeeeea818b67b8474881e55ed04f1effb3f075281da19f4758bede
                                                    • Opcode Fuzzy Hash: d1b23a8a309e533de8f745e82cec9f7797b432f5c574a03ef7a876071106aa31
                                                    • Instruction Fuzzy Hash: C8B19A75A00209DFCF15CFA4C8A09DEB7F4BF04B18F14865AE8116BA11E731DA65EF91
                                                    Function 6CF09470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 6CF094A7
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 6CF094AF
                                                    • _ValidateLocalCookies.LIBCMT ref: 6CF09538
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 6CF09563
                                                    • _ValidateLocalCookies.LIBCMT ref: 6CF095B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 1170836740-1018135373
                                                    • Opcode ID: fdaf5b5815deb890f2d1b9a25d01a0c5a851ba19435a01411b923c19ff2ac303
                                                    • Instruction ID: 936ffc4970d9021f948ca4e8278d9584c592f12349c0467816a15a3c8613e3a9
                                                    • Opcode Fuzzy Hash: fdaf5b5815deb890f2d1b9a25d01a0c5a851ba19435a01411b923c19ff2ac303
                                                    • Instruction Fuzzy Hash: B3418334B011489BCF00CF6AC890AAEBBF5AF4571CF148159E814ABB91EB31EB55DF90
                                                    Function 6CF0E33A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(00000000,?,6CF0E449,00000000,6CF0BC50,00000000,00000000,00000001,?,6CF0E5C2,00000022,FlsSetValue,6CF15688,6CF15690,00000000), ref: 6CF0E3FB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID: api-ms-$ext-ms-
                                                    • API String ID: 3664257935-537541572
                                                    • Opcode ID: 4fceb045b114311e6ea3895dfd54ee384c05e54623c5462effcba0eb4cb0bbe7
                                                    • Instruction ID: 101a10d722124e4de8a1a99fb1724dee70913b6762b095da36ca05f631aeb427
                                                    • Opcode Fuzzy Hash: 4fceb045b114311e6ea3895dfd54ee384c05e54623c5462effcba0eb4cb0bbe7
                                                    • Instruction Fuzzy Hash: 3B21EB36F05211ABDB119B668C51B4B3FB9DB42B68B360224E991A7B80D730E900D6D0
                                                    Function 6CF09A1C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000001,?,6CF09651,6CF08750,6CF08169,?,6CF083A1,?,00000001,?,?,00000001,?,6CF19498,0000000C,6CF0849A), ref: 6CF09A2A
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF09A38
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF09A51
                                                    • SetLastError.KERNEL32(00000000,6CF083A1,?,00000001,?,?,00000001,?,6CF19498,0000000C,6CF0849A,?,00000001,?), ref: 6CF09AA3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: b3dc0795e2633667ec09071b07a53b9c0410e13269a352c69417754c5fca15d2
                                                    • Instruction ID: 03eacf4364a084b796fc523166faa8256d859e3ed0bb6fb697b9e12888051a5d
                                                    • Opcode Fuzzy Hash: b3dc0795e2633667ec09071b07a53b9c0410e13269a352c69417754c5fca15d2
                                                    • Instruction Fuzzy Hash: E9012832B2D31A6EAA583677AC6268B37E4DB03F3C7210329F520819D0FF9149457680
                                                    Function 6CF0D56E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • C:\Users\user\Desktop\file.exe, xrefs: 6CF0D58A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C:\Users\user\Desktop\file.exe
                                                    • API String ID: 0-1957095476
                                                    • Opcode ID: b74de6b61fbc95879a9defea282f23ab5ae37cd7df5b658ad6ca90fbe9d9ebff
                                                    • Instruction ID: 5e12ab5f140234508119005997ce0ed052c579105d96281c3ab535bc3ad5c73e
                                                    • Opcode Fuzzy Hash: b74de6b61fbc95879a9defea282f23ab5ae37cd7df5b658ad6ca90fbe9d9ebff
                                                    • Instruction Fuzzy Hash: 9C21A171704605AFCB00AF76C9609AB77BDEF45B6CB054619F918D7A40E730E844ABA0
                                                    Function 6CF0B57E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F83B1210,00000000,?,00000000,6CF13E92,000000FF,?,6CF0B518,?,?,6CF0B4EC,?), ref: 6CF0B5B3
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF0B5C5
                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,6CF13E92,000000FF,?,6CF0B518,?,?,6CF0B4EC,?), ref: 6CF0B5E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: 6ceab43f38912770c6af0fce7aa7d98f087777cc1419b081cd58f850bd217540
                                                    • Instruction ID: 7f1381d27dce725b175789b33f73d2f07ed27a1ceb18cfab4293f1e39248eefd
                                                    • Opcode Fuzzy Hash: 6ceab43f38912770c6af0fce7aa7d98f087777cc1419b081cd58f850bd217540
                                                    • Instruction Fuzzy Hash: A701A231A14659EFDF018F50CC0ABAEBBB9FB45B18F014A25E821A2E80DB759900CB90
                                                    Function 6CF0FFF8 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __alloca_probe_16.LIBCMT ref: 6CF1007D
                                                    • __alloca_probe_16.LIBCMT ref: 6CF10146
                                                    • __freea.LIBCMT ref: 6CF101AD
                                                      • Part of subcall function 6CF0F19A: HeapAlloc.KERNEL32(00000000,6CF0DAE7,6CF0EEB4,?,6CF0DAE7,00000220,?,?,6CF0EEB4), ref: 6CF0F1CC
                                                    • __freea.LIBCMT ref: 6CF101C0
                                                    • __freea.LIBCMT ref: 6CF101CD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __freea$__alloca_probe_16$AllocHeap
                                                    • String ID:
                                                    • API String ID: 1096550386-0
                                                    • Opcode ID: 76e078582097d9fac8e94b241b762f0b0274ab22d57a802990204a8ac4a85e8a
                                                    • Instruction ID: 9e889e2a573f34e85ec717522008831c82a6c386a5863d8d718ccf67d6eaf2eb
                                                    • Opcode Fuzzy Hash: 76e078582097d9fac8e94b241b762f0b0274ab22d57a802990204a8ac4a85e8a
                                                    • Instruction Fuzzy Hash: D651E672605286BFEB014F64CC40EBB3BB9DF45728F260528FD15E6E40E7B9DC2496A0
                                                    Function 6CF09FF2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF09FA3,00000000,?,00000001,?,?,?,6CF0A092,00000001,FlsFree,6CF14D60,FlsFree), ref: 6CF09FFF
                                                    • GetLastError.KERNEL32(?,6CF09FA3,00000000,?,00000001,?,?,?,6CF0A092,00000001,FlsFree,6CF14D60,FlsFree,00000000,?,6CF09AF1), ref: 6CF0A009
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF0A031
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID: api-ms-
                                                    • API String ID: 3177248105-2084034818
                                                    • Opcode ID: 920945012c73b77440f90c3b3f4dccaee9031395d57adecc47b9dc517265cff7
                                                    • Instruction ID: deb2c05ed5c527aa2a8279cd1567e57dda30c6f16efbb5d4fbdce3367eb301c7
                                                    • Opcode Fuzzy Hash: 920945012c73b77440f90c3b3f4dccaee9031395d57adecc47b9dc517265cff7
                                                    • Instruction Fuzzy Hash: 4EE04F31B54208BBEF101F62DE16B493EBD9B41F8CF120430FA0DE8C91E7A29510A585
                                                    Function 6CF10705 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleOutputCP.KERNEL32(F83B1210,00000000,00000000,?), ref: 6CF10768
                                                      • Part of subcall function 6CF0E13C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF101A3,?,00000000,-00000008), ref: 6CF0E19D
                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF109BA
                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF10A00
                                                    • GetLastError.KERNEL32 ref: 6CF10AA3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                    • String ID:
                                                    • API String ID: 2112829910-0
                                                    • Opcode ID: f1d3968801181f2a79af461d3063352c577c147575c188c6dbc8b7fbb2867e1b
                                                    • Instruction ID: 78e676ab11912eee2543a4f9f52ab9217dd35dc41f86ad6572c71db12b2f94cc
                                                    • Opcode Fuzzy Hash: f1d3968801181f2a79af461d3063352c577c147575c188c6dbc8b7fbb2867e1b
                                                    • Instruction Fuzzy Hash: CCD17875E08288DFCB04CFA8C880ADDBBF4EF49314F24856AE465EBB41D670A956CB50
                                                    Function 6CF0A173 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AdjustPointer
                                                    • String ID:
                                                    • API String ID: 1740715915-0
                                                    • Opcode ID: 5e6d88c2697f2a09f84c19f5453bfddd9a589195b05734cb9782df5c1d8c4297
                                                    • Instruction ID: 8fe64e26c1f053f7795a373dfa8064a9935501d9a1999ff9e6c498da5821a962
                                                    • Opcode Fuzzy Hash: 5e6d88c2697f2a09f84c19f5453bfddd9a589195b05734cb9782df5c1d8c4297
                                                    • Instruction Fuzzy Hash: 1151E2727066029FEB198F50D860BAAB3F5FF41B18F20453DEC1547A91E732E980EB90
                                                    Function 6CF0CD88 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 6CF0E13C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF101A3,?,00000000,-00000008), ref: 6CF0E19D
                                                    • GetLastError.KERNEL32 ref: 6CF0CDEC
                                                    • __dosmaperr.LIBCMT ref: 6CF0CDF3
                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 6CF0CE2D
                                                    • __dosmaperr.LIBCMT ref: 6CF0CE34
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 1913693674-0
                                                    • Opcode ID: f44b0c6541d5ae78111dad413c62fef685585b329059db4600cdf72a9e8f9f18
                                                    • Instruction ID: cdd80a9b593190fdf23406825e6b928544a4b2120c709b45415d75c3ea6596db
                                                    • Opcode Fuzzy Hash: f44b0c6541d5ae78111dad413c62fef685585b329059db4600cdf72a9e8f9f18
                                                    • Instruction Fuzzy Hash: B321C571704216AFDB00AF6AC8A099BB7BDFF45B687148529F91597A40D730EC40B7B2
                                                    Function 6CF0E1DF Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 6CF0E1E7
                                                      • Part of subcall function 6CF0E13C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF101A3,?,00000000,-00000008), ref: 6CF0E19D
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF0E21F
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF0E23F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 158306478-0
                                                    • Opcode ID: b9be225750468ec39885ced8febd0e72e4e68176fb3800421782292242b911ca
                                                    • Instruction ID: f01391b573d0f215e0803637d560ae3c461ad57133d3ba9c07d9424dd167396f
                                                    • Opcode Fuzzy Hash: b9be225750468ec39885ced8febd0e72e4e68176fb3800421782292242b911ca
                                                    • Instruction Fuzzy Hash: 3E1108B2F051157F6A1527758CA9DAF7E6CDF96AAC7060524F440A2600EB20CD08A1F1
                                                    Function 6CF12086 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF11839,00000000,00000001,00000000,?,?,6CF10AF7,?,00000000,00000000), ref: 6CF1209D
                                                    • GetLastError.KERNEL32(?,6CF11839,00000000,00000001,00000000,?,?,6CF10AF7,?,00000000,00000000,?,?,?,6CF1109A,00000000), ref: 6CF120A9
                                                      • Part of subcall function 6CF1206F: CloseHandle.KERNEL32(FFFFFFFE,6CF120B9,?,6CF11839,00000000,00000001,00000000,?,?,6CF10AF7,?,00000000,00000000,?,?), ref: 6CF1207F
                                                    • ___initconout.LIBCMT ref: 6CF120B9
                                                      • Part of subcall function 6CF12031: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF12060,6CF11826,?,?,6CF10AF7,?,00000000,00000000,?), ref: 6CF12044
                                                    • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF11839,00000000,00000001,00000000,?,?,6CF10AF7,?,00000000,00000000,?), ref: 6CF120CE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                    • String ID:
                                                    • API String ID: 2744216297-0
                                                    • Opcode ID: a596310f4718463027b1274faec7421988c682c28e405f655f6ee2639bd8f608
                                                    • Instruction ID: bf2be371bff60d9518dc5caf331fa46bb31bf9e6b428d6d259fefbccad54585d
                                                    • Opcode Fuzzy Hash: a596310f4718463027b1274faec7421988c682c28e405f655f6ee2639bd8f608
                                                    • Instruction Fuzzy Hash: 4AF01236914158BFCF521FE2CC0CA893F76FB4A3B4B054110FA1895914C6338860DB90
                                                    Function 6CF0A76F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • EncodePointer.KERNEL32(00000000,?), ref: 6CF0A794
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1683690736.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true
                                                    • Associated: 00000000.00000002.1683674380.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683728835.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF1B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CF69000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1683751341.000000006CFA7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.1684045603.000000006CFD2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6cf00000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EncodePointer
                                                    • String ID: MOC$RCC
                                                    • API String ID: 2118026453-2084237596
                                                    • Opcode ID: fa1fc903f2b1dafd2558d39448dbd3fbfc6d08220fd3e57dffe11b266d898ad3
                                                    • Instruction ID: f425cd70821f22b7736849fb97ce4c56c91e49788d1c4a6c69ffe3c36b2d88e7
                                                    • Opcode Fuzzy Hash: fa1fc903f2b1dafd2558d39448dbd3fbfc6d08220fd3e57dffe11b266d898ad3
                                                    • Instruction Fuzzy Hash: 2A415971A00209AFCF06CF94CC90AEEBBF5FF48708F248199EA14A7610D7359A52EB50

                                                    Execution Graph

                                                    Execution Coverage:16.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0.8%
                                                    Total number of Nodes:355
                                                    Total number of Limit Nodes:26
                                                    execution_graph 75355 6fddeb8 75356 6fddecd 75355->75356 75360 6fddf00 75356->75360 75364 6fddef0 75356->75364 75357 6fddee0 75361 6fddf24 75360->75361 75368 6fde218 75361->75368 75365 6fddf24 75364->75365 75367 6fde218 2 API calls 75365->75367 75366 6fddf8a 75366->75357 75367->75366 75369 6fde23d 75368->75369 75373 6fde680 75369->75373 75378 6fde672 75369->75378 75370 6fddf8a 75370->75357 75374 6fde6a7 75373->75374 75383 6fde740 75374->75383 75387 6fde738 75374->75387 75375 6fde714 75375->75370 75379 6fde6a7 75378->75379 75381 6fde738 LdrLoadDll 75379->75381 75382 6fde740 LdrLoadDll 75379->75382 75380 6fde714 75380->75370 75381->75380 75382->75380 75384 6fde78b LdrLoadDll 75383->75384 75386 6fde7cc 75384->75386 75386->75375 75388 6fde78b LdrLoadDll 75387->75388 75390 6fde7cc 75388->75390 75390->75375 75295 6ffc7d8 75296 6ffc963 75295->75296 75297 6ffc7fe 75295->75297 75297->75296 75299 6ffc074 75297->75299 75300 6ffca58 PostMessageW 75299->75300 75301 6ffcac4 75300->75301 75301->75297 75391 6fb8db0 75392 6fb8df8 LoadLibraryW 75391->75392 75393 6fb8df2 75391->75393 75394 6fb8e25 75392->75394 75393->75392 75302 73c9010 75303 73c9025 75302->75303 75306 73c90a0 75303->75306 75307 73c90c5 75306->75307 75311 73c90f8 75307->75311 75315 73c90e9 75307->75315 75308 73c904d 75312 73c9112 75311->75312 75319 73c91b0 75312->75319 75316 73c90f8 75315->75316 75318 73c91b0 2 API calls 75316->75318 75317 73c915d 75317->75308 75318->75317 75320 73c91d5 75319->75320 75324 73c9201 75320->75324 75328 73c9210 75320->75328 75321 73c915d 75321->75308 75325 73c9210 75324->75325 75332 73c9370 75325->75332 75330 73c9237 75328->75330 75329 73c92c2 75329->75321 75331 73c9370 2 API calls 75330->75331 75331->75329 75333 73c939a 75332->75333 75337 73c93e0 75333->75337 75342 73c93d3 75333->75342 75338 73c9407 75337->75338 75347 73c94a8 75338->75347 75351 73c949c 75338->75351 75343 73c9407 75342->75343 75345 73c949c CreateFileA 75343->75345 75346 73c94a8 CreateFileA 75343->75346 75344 73c92c2 75344->75321 75345->75344 75346->75344 75348 73c94fd CreateFileA 75347->75348 75350 73c95c5 75348->75350 75352 73c94a8 CreateFileA 75351->75352 75354 73c95c5 75352->75354 74947 dd4cc0 74948 dd4cd2 74947->74948 74949 dd4cdd 74948->74949 74953 dd4de8 74948->74953 74958 dd4468 74949->74958 74954 dd4df5 74953->74954 74962 dd4ee8 74954->74962 74966 dd4ef8 74954->74966 74959 dd4473 74958->74959 74974 dd6348 74959->74974 74961 dd4d15 74964 dd4ef8 74962->74964 74963 dd4ffc 74963->74963 74964->74963 74970 dd48a0 74964->74970 74968 dd4f1f 74966->74968 74967 dd4ffc 74967->74967 74968->74967 74969 dd48a0 CreateActCtxA 74968->74969 74969->74967 74971 dd5f88 CreateActCtxA 74970->74971 74973 dd604b 74971->74973 74973->74973 74975 dd6353 74974->74975 74978 dd6358 74975->74978 74977 dd8935 74977->74961 74979 dd6363 74978->74979 74982 dd6388 74979->74982 74981 dd8a1a 74981->74977 74983 dd6393 74982->74983 74986 dd63b8 74983->74986 74985 dd8b0d 74985->74981 74987 dd63c3 74986->74987 74989 dd9e0b 74987->74989 74993 ddc4b8 74987->74993 74988 dd9e49 74988->74985 74989->74988 74997 dde5a8 74989->74997 75002 dde5b8 74989->75002 75007 ddc4f0 74993->75007 75010 ddc4e2 74993->75010 74994 ddc4ce 74994->74989 74998 dde5b8 74997->74998 74999 dde5fd 74998->74999 75019 dde768 74998->75019 75023 dde758 74998->75023 74999->74988 75003 dde5d9 75002->75003 75004 dde5fd 75003->75004 75005 dde758 GetModuleHandleW 75003->75005 75006 dde768 GetModuleHandleW 75003->75006 75004->74988 75005->75004 75006->75004 75014 ddc5d9 75007->75014 75008 ddc4ff 75008->74994 75011 ddc4f0 75010->75011 75013 ddc5d9 GetModuleHandleW 75011->75013 75012 ddc4ff 75012->74994 75013->75012 75015 ddc61c 75014->75015 75016 ddc5f9 75014->75016 75015->75008 75016->75015 75017 ddc820 GetModuleHandleW 75016->75017 75018 ddc84d 75017->75018 75018->75008 75020 dde775 75019->75020 75022 dde7af 75020->75022 75027 ddd310 75020->75027 75022->74999 75024 dde775 75023->75024 75025 ddd310 GetModuleHandleW 75024->75025 75026 dde7af 75024->75026 75025->75026 75026->74999 75028 ddd31b 75027->75028 75030 ddf4c8 75028->75030 75031 ddeb14 75028->75031 75030->75030 75032 ddeb1f 75031->75032 75033 dd63b8 GetModuleHandleW 75032->75033 75034 ddf537 75033->75034 75034->75030 75395 dde880 75396 dde8c6 75395->75396 75400 ddee5a 75396->75400 75404 ddee68 75396->75404 75397 dde9b3 75401 ddee68 75400->75401 75407 ddd370 75401->75407 75405 ddd370 DuplicateHandle 75404->75405 75406 ddee96 75405->75406 75406->75397 75408 ddeed0 DuplicateHandle 75407->75408 75409 ddee96 75408->75409 75409->75397 75035 6ef02f0 75036 6ef0314 75035->75036 75040 6ef0450 75036->75040 75045 6ef0442 75036->75045 75037 6ef036b 75041 6ef0489 75040->75041 75050 6ef04fa 75041->75050 75055 6ef0500 75041->75055 75042 6ef0492 75042->75037 75046 6ef0489 75045->75046 75048 6ef04fa 2 API calls 75046->75048 75049 6ef0500 2 API calls 75046->75049 75047 6ef0492 75047->75037 75048->75047 75049->75047 75051 6ef050b 75050->75051 75052 6ef051b 75051->75052 75060 6ef0548 OleInitialize 75051->75060 75062 6ef0550 OleInitialize 75051->75062 75052->75042 75056 6ef050b 75055->75056 75057 6ef051b 75056->75057 75058 6ef0548 OleInitialize 75056->75058 75059 6ef0550 OleInitialize 75056->75059 75057->75042 75058->75057 75059->75057 75061 6ef05b4 75060->75061 75061->75052 75063 6ef05b4 75062->75063 75063->75052 75064 6ef12f0 75065 6ef1314 75064->75065 75069 6ef13d8 75065->75069 75075 6ef13c7 75065->75075 75066 6ef132b 75070 6ef13f0 75069->75070 75072 6ef1409 75070->75072 75081 6ef14e0 75070->75081 75086 6ef14f0 75070->75086 75071 6ef1427 75071->75066 75072->75066 75076 6ef13d8 75075->75076 75078 6ef1409 75076->75078 75079 6ef14e0 2 API calls 75076->75079 75080 6ef14f0 2 API calls 75076->75080 75077 6ef1427 75077->75066 75078->75066 75079->75077 75080->75077 75082 6ef14f0 75081->75082 75083 6ef152b 75082->75083 75091 6ef1598 75082->75091 75094 6ef158c 75082->75094 75083->75071 75087 6ef1505 75086->75087 75088 6ef152b 75087->75088 75089 6ef158c OleGetClipboard 75087->75089 75090 6ef1598 OleGetClipboard 75087->75090 75088->75071 75089->75087 75090->75087 75092 6ef15f2 OleGetClipboard 75091->75092 75093 6ef1632 75092->75093 75093->75093 75095 6ef1598 OleGetClipboard 75094->75095 75097 6ef1632 75095->75097 75098 6ef3270 75099 6ef3294 75098->75099 75100 6ef32b6 75099->75100 75105 6ef795f 75099->75105 75113 6ef7970 75099->75113 75121 73c6bd0 75099->75121 75125 73c6bbf 75099->75125 75106 6ef7994 75105->75106 75108 6ef7b02 75106->75108 75129 73c52e8 75106->75129 75136 73c52db 75106->75136 75108->75100 75114 6ef7994 75113->75114 75116 6ef7b02 75114->75116 75119 73c52e8 2 API calls 75114->75119 75120 73c52db 2 API calls 75114->75120 75115 6ef7aa3 75117 6ff8a11 2 API calls 75115->75117 75118 6ff8a20 2 API calls 75115->75118 75116->75100 75117->75116 75118->75116 75119->75115 75120->75115 75123 73c6bf4 75121->75123 75122 73c6ccf 75122->75100 75123->75122 75256 73c6eb8 75123->75256 75127 73c6bf4 75125->75127 75126 73c6ccf 75126->75100 75127->75126 75128 73c6eb8 2 API calls 75127->75128 75128->75126 75130 73c5302 75129->75130 75159 73c6b1f 75130->75159 75163 73c57e8 75130->75163 75167 73c6a62 75130->75167 75171 73c57bf 75130->75171 75137 73c5302 75136->75137 75139 73c57bf 2 API calls 75137->75139 75140 73c6b1f 2 API calls 75137->75140 75141 73c57e8 2 API calls 75137->75141 75142 73c6a62 2 API calls 75137->75142 75138 6ef7aa3 75143 6ff8a20 75138->75143 75151 6ff8a11 75138->75151 75139->75138 75140->75138 75141->75138 75142->75138 75144 6ff8a3a 75143->75144 75175 6ff905c 75144->75175 75180 6ff9067 75144->75180 75185 6ff8b18 75144->75185 75190 6ff8b08 75144->75190 75195 6ff905e 75144->75195 75152 6ff8a3a 75151->75152 75154 6ff905e 2 API calls 75152->75154 75155 6ff905c 2 API calls 75152->75155 75156 6ff8b18 2 API calls 75152->75156 75157 6ff8b08 2 API calls 75152->75157 75158 6ff9067 2 API calls 75152->75158 75153 6ff8a4d 75153->75108 75154->75153 75155->75153 75156->75153 75157->75153 75158->75153 75160 73c6b09 75159->75160 75161 73c5931 75159->75161 75161->75160 75162 73c9d80 ReadFile ReadFile 75161->75162 75162->75161 75165 73c5815 75163->75165 75164 73c6b09 75164->75164 75165->75164 75166 73c9d80 ReadFile ReadFile 75165->75166 75166->75165 75169 73c5931 75167->75169 75168 73c6b09 75168->75168 75169->75168 75170 73c9d80 ReadFile ReadFile 75169->75170 75170->75169 75173 73c57e2 75171->75173 75172 73c6b09 75172->75172 75173->75172 75174 73c9d80 ReadFile ReadFile 75173->75174 75174->75173 75177 6ff8c53 75175->75177 75176 6ff908a 75176->75176 75177->75176 75200 6ff9360 75177->75200 75205 6ff9319 75177->75205 75182 6ff8c53 75180->75182 75181 6ff908a 75182->75181 75183 6ff9319 2 API calls 75182->75183 75184 6ff9360 2 API calls 75182->75184 75183->75182 75184->75182 75187 6ff8b42 75185->75187 75186 6ff908a 75186->75186 75187->75186 75188 6ff9319 2 API calls 75187->75188 75189 6ff9360 2 API calls 75187->75189 75188->75187 75189->75187 75191 6ff8b42 75190->75191 75192 6ff908a 75191->75192 75193 6ff9319 2 API calls 75191->75193 75194 6ff9360 2 API calls 75191->75194 75192->75192 75193->75191 75194->75191 75197 6ff8c53 75195->75197 75196 6ff908a 75196->75196 75197->75196 75198 6ff9319 2 API calls 75197->75198 75199 6ff9360 2 API calls 75197->75199 75198->75197 75199->75197 75201 6ff9368 75200->75201 75211 6ff93b8 75201->75211 75216 6ff93a7 75201->75216 75202 6ff939d 75202->75177 75206 6ff9368 75205->75206 75207 6ff9326 75205->75207 75209 6ff93b8 2 API calls 75206->75209 75210 6ff93a7 2 API calls 75206->75210 75207->75177 75208 6ff939d 75208->75177 75209->75208 75210->75208 75212 6ff93e2 75211->75212 75213 6ff945e 75212->75213 75221 6fd8d30 75212->75221 75226 6fd8d40 75212->75226 75213->75202 75217 6ff93e2 75216->75217 75218 6ff945e 75217->75218 75219 6fd8d40 2 API calls 75217->75219 75220 6fd8d30 2 API calls 75217->75220 75218->75202 75219->75218 75220->75218 75222 6fd8d2f 75221->75222 75223 6fd8d33 75221->75223 75222->75213 75230 73c8730 75223->75230 75224 6fd8e42 75224->75213 75227 6fd8d67 75226->75227 75229 73c8730 2 API calls 75227->75229 75228 6fd8e42 75228->75213 75229->75228 75231 73c874a 75230->75231 75235 73c8770 75231->75235 75239 73c8780 75231->75239 75232 73c8762 75232->75224 75236 73c8780 75235->75236 75237 73c8896 75236->75237 75243 73cb7c0 75236->75243 75237->75232 75240 73c87a7 75239->75240 75241 73c8896 75240->75241 75242 73cb7c0 2 API calls 75240->75242 75241->75232 75242->75241 75244 73cb7e5 75243->75244 75248 73cb811 75244->75248 75252 73cb820 75244->75252 75245 73cb7fe 75245->75237 75249 73cb820 75248->75249 75251 73cb910 ReadFile ReadFile 75249->75251 75250 73cb889 75250->75245 75251->75250 75253 73cb847 75252->75253 75255 73cb910 ReadFile ReadFile 75253->75255 75254 73cb889 75254->75245 75255->75254 75257 73c6ee2 75256->75257 75263 73c7318 75257->75263 75269 73c7fb2 75257->75269 75275 73c730b 75257->75275 75281 73c7fb0 75257->75281 75265 73c7345 75263->75265 75264 73c7ff1 75264->75264 75265->75264 75266 73c8730 2 API calls 75265->75266 75287 73c8518 75265->75287 75291 73c8508 75265->75291 75266->75265 75271 73c741d 75269->75271 75270 73c7ff1 75271->75270 75272 73c8730 2 API calls 75271->75272 75273 73c8518 2 API calls 75271->75273 75274 73c8508 2 API calls 75271->75274 75272->75271 75273->75271 75274->75271 75277 73c7345 75275->75277 75276 73c7ff1 75276->75276 75277->75276 75278 73c8518 2 API calls 75277->75278 75279 73c8508 2 API calls 75277->75279 75280 73c8730 2 API calls 75277->75280 75278->75277 75279->75277 75280->75277 75283 73c741d 75281->75283 75282 73c7ff1 75283->75282 75284 73c8730 2 API calls 75283->75284 75285 73c8518 2 API calls 75283->75285 75286 73c8508 2 API calls 75283->75286 75284->75283 75285->75283 75286->75283 75288 73c853f 75287->75288 75290 73c8730 2 API calls 75288->75290 75289 73c85d5 75289->75265 75290->75289 75292 73c853f 75291->75292 75294 73c8730 2 API calls 75292->75294 75293 73c85d5 75293->75265 75294->75293

                                                    Executed Functions

                                                    Function 06FDE740 Relevance: 1.6, APIs: 1, Instructions: 59libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(?,?,?,?), ref: 06FDE7BD
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1774043787.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6fd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 12ba6e6efbc659ef21aa346408487da55264bc6b130b68ee7fad1a9dd4b3ced0
                                                    • Instruction ID: 1a9c063d8728cf5a324d6b079910fe28b87d2a564ae87b2597dc27b631cc64cc
                                                    • Opcode Fuzzy Hash: 12ba6e6efbc659ef21aa346408487da55264bc6b130b68ee7fad1a9dd4b3ced0
                                                    • Instruction Fuzzy Hash: 9A21E2B1D003589FCB10DFAAC884ADEFBF5FF48320F14842AE959A7250C775A944CBA5
                                                    Function 06EE3FF1 Relevance: .6, Instructions: 642COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 410e440bf6dc3a2809ecd14ef26aae57f4037667cfd0ad0198f1c32bfa594971
                                                    • Instruction ID: 63189515785496efd7183856ae6a82798f87f181bdd7563bf1cfc4b1d11f61b3
                                                    • Opcode Fuzzy Hash: 410e440bf6dc3a2809ecd14ef26aae57f4037667cfd0ad0198f1c32bfa594971
                                                    • Instruction Fuzzy Hash: B5426A70A01341CFC795DF68C594AAEBBF2AF89304F149469E546DB3A5DB30EC85CBA0
                                                    Function 06EE3890 Relevance: .5, Instructions: 464COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e305f8ab8cb94d42920c703987746f65260c71284ce27625a38009437899ffb7
                                                    • Instruction ID: 30561cc14a752a7b566b513c5b2ba3fe47e94b07e2f04748d546171589136449
                                                    • Opcode Fuzzy Hash: e305f8ab8cb94d42920c703987746f65260c71284ce27625a38009437899ffb7
                                                    • Instruction Fuzzy Hash: 62124C74A003058FC745DF69C584AAABBF2FF89314B19D499E449DB366CB30ED85CBA0
                                                    Function 06EE1BD8 Relevance: .4, Instructions: 407COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 408c63482987bd60a6a699f42374389db9c835c578f043570aa17def11c842cc
                                                    • Instruction ID: 86ffb7f241c060967540a4ceba59b0491420b874dcb18b2490f2316281ea7d11
                                                    • Opcode Fuzzy Hash: 408c63482987bd60a6a699f42374389db9c835c578f043570aa17def11c842cc
                                                    • Instruction Fuzzy Hash: 2E027A34A00704CFDBA5CFA9C584AAABBF2FF88304F149569E456DB761DB34E981CB40
                                                    Function 073C949C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2222 73c949c-73c9509 2225 73c950b-73c9515 2222->2225 2226 73c9542-73c95c3 CreateFileA 2222->2226 2225->2226 2227 73c9517-73c9519 2225->2227 2236 73c95cc-73c9612 2226->2236 2237 73c95c5-73c95cb 2226->2237 2229 73c953c-73c953f 2227->2229 2230 73c951b-73c9525 2227->2230 2229->2226 2231 73c9529-73c9538 2230->2231 2232 73c9527 2230->2232 2231->2231 2234 73c953a 2231->2234 2232->2231 2234->2229 2242 73c9614-73c9618 2236->2242 2243 73c9622 2236->2243 2237->2236 2242->2243 2244 73c961a 2242->2244 2245 73c9623 2243->2245 2244->2243 2245->2245
                                                    APIs
                                                    • CreateFileA.KERNELBASE(?,?,?,?,?,00000001,00000004), ref: 073C95B3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1775279190.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_73c0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: 4L^q
                                                    • API String ID: 823142352-616035646
                                                    • Opcode ID: 6355b8581493ca7f3e6d1ae71a9a65fe031449a8b6ccdc9f6c6d8034c9e3db29
                                                    • Instruction ID: 94ddc221e709c0876e4aae00fd7e736deb0115ea67eb5e6fc201cb3b0c4d1597
                                                    • Opcode Fuzzy Hash: 6355b8581493ca7f3e6d1ae71a9a65fe031449a8b6ccdc9f6c6d8034c9e3db29
                                                    • Instruction Fuzzy Hash: 284134B0D102599FEB10CFA9C844B9EBFF5FF08310F15802AE859AB251DB75A855CF81
                                                    Function 073C94A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2246 73c94a8-73c9509 2248 73c950b-73c9515 2246->2248 2249 73c9542-73c95c3 CreateFileA 2246->2249 2248->2249 2250 73c9517-73c9519 2248->2250 2259 73c95cc-73c9612 2249->2259 2260 73c95c5-73c95cb 2249->2260 2252 73c953c-73c953f 2250->2252 2253 73c951b-73c9525 2250->2253 2252->2249 2254 73c9529-73c9538 2253->2254 2255 73c9527 2253->2255 2254->2254 2257 73c953a 2254->2257 2255->2254 2257->2252 2265 73c9614-73c9618 2259->2265 2266 73c9622 2259->2266 2260->2259 2265->2266 2267 73c961a 2265->2267 2268 73c9623 2266->2268 2267->2266 2268->2268
                                                    APIs
                                                    • CreateFileA.KERNELBASE(?,?,?,?,?,00000001,00000004), ref: 073C95B3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1775279190.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_73c0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: 4L^q
                                                    • API String ID: 823142352-616035646
                                                    • Opcode ID: 765bbacd933b2748bc7a2ba101d6f07803590baa2562ce849cfa1b755c260b41
                                                    • Instruction ID: f0dd1526825fbdc94e87cbdae8b0ca199c5a4ffb9dfbdb56393da159fc49c6ab
                                                    • Opcode Fuzzy Hash: 765bbacd933b2748bc7a2ba101d6f07803590baa2562ce849cfa1b755c260b41
                                                    • Instruction Fuzzy Hash: B64144B0D10259DFEB10CFA9C844B9EBFF5BF48314F158029E819AB290CB79A845CF81
                                                    Function 06EE89A0 Relevance: 3.4, Instructions: 3443COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7aa4c1865d69b98fc7612df905b7aa830e2b64b04d0c912b965633fbb45f365f
                                                    • Instruction ID: 74c90da6d4b953128ecca35b272a26b7d332263789dcae0e24696b4f60bf09d6
                                                    • Opcode Fuzzy Hash: 7aa4c1865d69b98fc7612df905b7aa830e2b64b04d0c912b965633fbb45f365f
                                                    • Instruction Fuzzy Hash: BF635C70E402189FEB659F64CC95B9EBA73EB88700F104099E60A7B3D1CF725E849F65
                                                    Function 06EE6EC0 Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (bq$(bq
                                                    • API String ID: 0-4224401849
                                                    • Opcode ID: 92080cb444f7e49f085117bb31c5cdd1a6b7a3e232920a4878a0c2b044b5f29f
                                                    • Instruction ID: 4f5f7c66f3691dd6280bfb01b35eca3fc9c814e78dd4aab91578812a224e76a5
                                                    • Opcode Fuzzy Hash: 92080cb444f7e49f085117bb31c5cdd1a6b7a3e232920a4878a0c2b044b5f29f
                                                    • Instruction Fuzzy Hash: 1841BE30A007058FDB54DF29D81566EBBF2EF88255B20856ED006E77A1DF359D06CBE0
                                                    Function 00DDC5D9 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00DDC83E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756961392.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_dd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 83f0f480cfe0db9f4458e77637bec1ddb691f11c6d1f796c9cc7c5e112c91352
                                                    • Instruction ID: 12da65a3c7d36fc08d92423e3cb71ba26dd30e84bf8b81f819b784fdad11be84
                                                    • Opcode Fuzzy Hash: 83f0f480cfe0db9f4458e77637bec1ddb691f11c6d1f796c9cc7c5e112c91352
                                                    • Instruction Fuzzy Hash: D18133B0A10B068FD724DF29D541B5ABBF5FF48304F149A2AD08A97B50DB74E846CBA0
                                                    Function 06EE5698 Relevance: 1.6, Strings: 1, Instructions: 360COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hb_q
                                                    • API String ID: 0-781627569
                                                    • Opcode ID: 41824c7d6e8c2bdccfc3ec7ea7eb9cb076f7edf20cfe2171e9f65eea0b3b6759
                                                    • Instruction ID: 2ed775da6ef7869936a40f7fb1ef80ce787bd51ac449ba457012ebc848a56fcf
                                                    • Opcode Fuzzy Hash: 41824c7d6e8c2bdccfc3ec7ea7eb9cb076f7edf20cfe2171e9f65eea0b3b6759
                                                    • Instruction Fuzzy Hash: 7AE17074A00205DFCB45CF68D5849AEBBF2FF48314F1585A9E4099B362DB31ED85CBA0
                                                    Function 00DD5F7D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00DD6039
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756961392.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_dd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: b2cc14a81e7ebe497cff3a82f414346d9b5351de60b411f450eb257e5d0018f3
                                                    • Instruction ID: c29a5398815d991170151afce1e32bd4808dac647c1776ac248f0a7d066d1bd7
                                                    • Opcode Fuzzy Hash: b2cc14a81e7ebe497cff3a82f414346d9b5351de60b411f450eb257e5d0018f3
                                                    • Instruction Fuzzy Hash: 6141C3B0C00619DFDB24CFA9C884BDEBBF5BF49304F24806AD408AB255DB766945CF91
                                                    Function 00DD48A0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00DD6039
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756961392.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_dd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 87aafb0a0346aad65cd25f5e75e27ddcf9c716b995c721f999bde920141a45c4
                                                    • Instruction ID: 048446bc7c6225aa423a7b3239f5e3bc2029ea9accb8ccf10436b74ff29d4c0c
                                                    • Opcode Fuzzy Hash: 87aafb0a0346aad65cd25f5e75e27ddcf9c716b995c721f999bde920141a45c4
                                                    • Instruction Fuzzy Hash: 5141D4B0C0071DCFDB24DFA9C84479EBBB5BF49304F2480AAD408AB255DB75A945CF90
                                                    Function 073CBA25 Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000000,00000000,?,?,?), ref: 073CBAD9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1775279190.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_73c0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: bdbd2be609ce1f61c51f5702d24f9c6311733c5c087519658d15b60771f90915
                                                    • Instruction ID: c8215fd0cb8a9704a3bfec794c6984eeb57f8d4398fa1912d10d9dd05980cfdc
                                                    • Opcode Fuzzy Hash: bdbd2be609ce1f61c51f5702d24f9c6311733c5c087519658d15b60771f90915
                                                    • Instruction Fuzzy Hash: 443144B1D002599FDB14CFA9C581ADEFBF5EF48310F24802AE849AB254DB749D45CF94
                                                    Function 073CBA30 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000000,00000000,?,?,?), ref: 073CBAD9
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1775279190.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_73c0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 75e2eb4dd2af6bfd1501e30ae5cbbf709e640250abb44bf3ad497150bfa65b99
                                                    • Instruction ID: c15895dcd4f8bc49873c979c6283d1003eb48845d2f726917d77d0bc69aa7eae
                                                    • Opcode Fuzzy Hash: 75e2eb4dd2af6bfd1501e30ae5cbbf709e640250abb44bf3ad497150bfa65b99
                                                    • Instruction Fuzzy Hash: C63113B0D002599FDB14CFA9C581ADEFBF5AF48310F24802AE449AB254DB759945CF94
                                                    Function 06EF158C Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773757668.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ef0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Clipboard
                                                    • String ID:
                                                    • API String ID: 220874293-0
                                                    • Opcode ID: af97f90af43f1699a785ec9fc67b0c8a4b47855c0fe5aa845fa94820cc58122e
                                                    • Instruction ID: 723ae72a7ae463fc2155733345815513f2306cc1c980cc85ac1fc0c6e1f4d4de
                                                    • Opcode Fuzzy Hash: af97f90af43f1699a785ec9fc67b0c8a4b47855c0fe5aa845fa94820cc58122e
                                                    • Instruction Fuzzy Hash: 6631F2B0D11348DFDB10CF99C984BCEBBF5AF48304F248059E504AB294DB75A945CFA5
                                                    Function 06EF1598 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773757668.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ef0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Clipboard
                                                    • String ID:
                                                    • API String ID: 220874293-0
                                                    • Opcode ID: df394cc7db50146754050755b80b1b523993724446193bed0adf228a7a2d557f
                                                    • Instruction ID: ca737f1d33f5d2cb0c0fc9eddef87d593e3929a7d34c4f199f23198425d247e8
                                                    • Opcode Fuzzy Hash: df394cc7db50146754050755b80b1b523993724446193bed0adf228a7a2d557f
                                                    • Instruction Fuzzy Hash: 483100B0E11348DFDB10CF99C984BCDBBF5AF48304F248059E504AB290DB75A945CFA5
                                                    Function 00DDD370 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DDEE96,?,?,?,?,?), ref: 00DDEF57
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756961392.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_dd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 4370b70d7b347563c24645a93bb3e64a35891d29d50eef2750c2dfa33dc1e083
                                                    • Instruction ID: 2cbc1f0da10f499da00fafe60180d7957d5e71afb8872bd788456667ef901334
                                                    • Opcode Fuzzy Hash: 4370b70d7b347563c24645a93bb3e64a35891d29d50eef2750c2dfa33dc1e083
                                                    • Instruction Fuzzy Hash: 2F21E5B59003589FDB10DFAAD584ADEBBF9EB48310F14841AE958A7310D375A940CFA4
                                                    Function 00DDEEC8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DDEE96,?,?,?,?,?), ref: 00DDEF57
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756961392.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_dd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 0212f59a20e8f73438184414b66871bc1286b958c16a36cf7dfdba0ab4d2f57d
                                                    • Instruction ID: 5741d6a4f7d56688e67fd1044dbe0d39bb41bca8b7fafe873434fc0fb6b9e50f
                                                    • Opcode Fuzzy Hash: 0212f59a20e8f73438184414b66871bc1286b958c16a36cf7dfdba0ab4d2f57d
                                                    • Instruction Fuzzy Hash: F721E3B5900258DFDB10DFAAD984ADEBBF8FB48310F14841AE918A7350D379A940CFA4
                                                    Function 06FDE738 Relevance: 1.6, APIs: 1, Instructions: 61libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(?,?,?,?), ref: 06FDE7BD
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1774043787.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6fd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 69ba39424a093eec043d2d590108013de6b99a026125afc053a64d455795851d
                                                    • Instruction ID: 338440708338aeae9a122ca5fb29ce281aa7690bd545d1fde9465732ab664502
                                                    • Opcode Fuzzy Hash: 69ba39424a093eec043d2d590108013de6b99a026125afc053a64d455795851d
                                                    • Instruction Fuzzy Hash: 652139B1D002589FCB10DFA9C884ADEFBF5FF48310F10842AE459A7210C7759544CFA0
                                                    Function 06FB8DA9 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 06FB8E16
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773926591.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6fb0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 4d64a792e77167832d5e8c198a1614be7c0a5ca555532a0050de05cad72ebdb2
                                                    • Instruction ID: 4e79d2f894d00c967e9587c7a5fef0c567fbfd07232e5912dc85c00d5194bf61
                                                    • Opcode Fuzzy Hash: 4d64a792e77167832d5e8c198a1614be7c0a5ca555532a0050de05cad72ebdb2
                                                    • Instruction Fuzzy Hash: 971123B2D003498FDB10DFAAC444ADEFBF9EF88320F10842AD469A7210C375A545CFA5
                                                    Function 06FB8DB0 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 06FB8E16
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773926591.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6fb0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 0aa508cb598e65bbfa62ca6c95b1b4b42f4b699d65cedf3cb03180bdadb9c262
                                                    • Instruction ID: fd1dc8278b8a4b460a71f590177cbe3fdbe793e32056c1e15dd84174226785c2
                                                    • Opcode Fuzzy Hash: 0aa508cb598e65bbfa62ca6c95b1b4b42f4b699d65cedf3cb03180bdadb9c262
                                                    • Instruction Fuzzy Hash: 3511F3B5D002598BDB10DF9AC444ADEFBF9EF88310F14842AD429A7610C375A545CFA5
                                                    Function 06FFC074 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FFCAB5
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1774147918.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ff0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: a62f5e9feefc11d08499e26fc7db43c82d5377d39cae596dc928a71f9050a4eb
                                                    • Instruction ID: 7749066b264fe9b16edda96feda0a2045c5662ed4c385f60119d6cced1dfab5b
                                                    • Opcode Fuzzy Hash: a62f5e9feefc11d08499e26fc7db43c82d5377d39cae596dc928a71f9050a4eb
                                                    • Instruction Fuzzy Hash: F31106B5900358DFDB10DF99D844BDFBBF8EB48310F108459E555A7610C375A944CFA1
                                                    Function 00DDC7D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00DDC83E
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756961392.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_dd0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 64322bb1c669c39d99349eebc22fa3f07d024ad553cae539bc74638220519598
                                                    • Instruction ID: 0e576935c6d3d21e42cb402dfb5f9f30573a0e4dabb46287c3cec71595463e81
                                                    • Opcode Fuzzy Hash: 64322bb1c669c39d99349eebc22fa3f07d024ad553cae539bc74638220519598
                                                    • Instruction Fuzzy Hash: A2110FB5D002498FDB10CF9AC444ADEFBF8AB88324F14842AD819A7710C379A545CFA1
                                                    Function 06FFCA53 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FFCAB5
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1774147918.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ff0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 60ceb135acdf268195fae14a4d607cc5254a2dbe23150408c1e7963a15dbf3a8
                                                    • Instruction ID: bdc3c5671a24a35301a868c27d68005d565d7fb219c44d334842a69573433b97
                                                    • Opcode Fuzzy Hash: 60ceb135acdf268195fae14a4d607cc5254a2dbe23150408c1e7963a15dbf3a8
                                                    • Instruction Fuzzy Hash: 591110B5900259CFDB10CF99C888BDEBBF8EB48310F10841AE559A3610C379A584CFA0
                                                    Function 06EF0548 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773757668.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ef0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 86eb20e0d7e3f7ba994cab8a7a36c56a28314462929ef6312fe5024e9546bb17
                                                    • Instruction ID: aa8f7f7aa1d462753cc33a0e71c764885bd9b845602b39a559a7b8786da71b22
                                                    • Opcode Fuzzy Hash: 86eb20e0d7e3f7ba994cab8a7a36c56a28314462929ef6312fe5024e9546bb17
                                                    • Instruction Fuzzy Hash: CC1130B0900349CFDB20CFA9D889BCEBBF4EB48324F20845AD559A7650C3B9A540CFA4
                                                    Function 06EF0550 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773757668.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ef0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 23111b7a7f29f7c5d08a4240bb0bdcc3cc022866f8a1d9223f0fd7d3d782783c
                                                    • Instruction ID: d53ce9a1283d1643577361941f80db62ee8f0b76159e35ab3065a07a5a68f729
                                                    • Opcode Fuzzy Hash: 23111b7a7f29f7c5d08a4240bb0bdcc3cc022866f8a1d9223f0fd7d3d782783c
                                                    • Instruction Fuzzy Hash: 2A1123B1910348CFDB20DF9AC848BCEFBF8EB48324F208419D558A7610C379A544CFA5
                                                    Function 06EE3E48 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: ede06426c3392697fe85452cdfc83daaf5af56577c989b0f5d37b50fc6b4ef3b
                                                    • Instruction ID: 07e8e7b308832d7645cd3bdb8c496ad818b71a569c56ef18813f15e05e6fe9de
                                                    • Opcode Fuzzy Hash: ede06426c3392697fe85452cdfc83daaf5af56577c989b0f5d37b50fc6b4ef3b
                                                    • Instruction Fuzzy Hash: 3C517B71E002199FDB55CFA8C884AEEBBF1FF48314F24806AE915AB251D734DE54CBA0
                                                    Function 06EE6659 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q
                                                    • API String ID: 0-1614139903
                                                    • Opcode ID: 4e0ff889973b20f216b2592516df766c50adab73f8330379e94af0f016572ff8
                                                    • Instruction ID: eec9d1cff21d138cb995e06e2973f387d278b47a9e73580517be5ec579ae06da
                                                    • Opcode Fuzzy Hash: 4e0ff889973b20f216b2592516df766c50adab73f8330379e94af0f016572ff8
                                                    • Instruction Fuzzy Hash: 2951C3B5A00345DFC745DF28C58099ABBF2FF88314B1589A9D459CB366DB30ED89CBA0
                                                    Function 06EE3E37 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 617f26ebcf8ec7bf1ec61acd47b96a03679553b44303f96a1bfb8fc23b826663
                                                    • Instruction ID: bcea093077ce309d72f4a9628954aef449b6d213d3b6a6a99b285e91d5311d47
                                                    • Opcode Fuzzy Hash: 617f26ebcf8ec7bf1ec61acd47b96a03679553b44303f96a1bfb8fc23b826663
                                                    • Instruction Fuzzy Hash: 8521BF72A012199FCB15CFA5C984AEFBFB5FF48314B14816AF544DB221E734DA45CBA0
                                                    Function 06EE31D8 Relevance: .5, Instructions: 460COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a98961a7fdb288c86d2a9d83c37262e3b226bab9054d7bc8345493404848aaaa
                                                    • Instruction ID: 7927d844ebe4a4f23ad27946e1015485337219665f2f0ccd611d8507fd519001
                                                    • Opcode Fuzzy Hash: a98961a7fdb288c86d2a9d83c37262e3b226bab9054d7bc8345493404848aaaa
                                                    • Instruction Fuzzy Hash: 5D123574A00705CFCB65CF69D98496AFBF2FF48304B159A69D4468B761DB30EC86CB90
                                                    Function 06EE4D10 Relevance: .4, Instructions: 450COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49b0a62a9030eb82dcaeba5e10457c585aac1e9ebf60e332210577d1eb81def3
                                                    • Instruction ID: 9b9b5beea37c8195a0421314ea95b8c8a981ad5995a74d824c83ed21fe64d01c
                                                    • Opcode Fuzzy Hash: 49b0a62a9030eb82dcaeba5e10457c585aac1e9ebf60e332210577d1eb81def3
                                                    • Instruction Fuzzy Hash: B3121870A01318DFCB55DF64D844A9DBBF2BF49309F1090A9E80AAB265DB31DD85CF51
                                                    Function 06EE0040 Relevance: .3, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 87c749d60571553d2463a2a443c1bac8bc706794e297a12a11a3dbe5daa8e717
                                                    • Instruction ID: 8f7d6c036774426769819ffba080c192eadc3d99489cdc49ee21bf41f4177213
                                                    • Opcode Fuzzy Hash: 87c749d60571553d2463a2a443c1bac8bc706794e297a12a11a3dbe5daa8e717
                                                    • Instruction Fuzzy Hash: 4D81D430B05325DFDBE50E6488447BEBAA6EB88B48F046819FC468B245DBB0CC91C7E1
                                                    Function 06EE85FA Relevance: .2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d11ef72840232c6424ddc8c3b9284c4e81e84581f2ab9ea7f680ad14d7470f52
                                                    • Instruction ID: cc8e1bf941c5b2bef5729fb95cdcfcd1b8545fc64c5cd7cd9d3950daecf96466
                                                    • Opcode Fuzzy Hash: d11ef72840232c6424ddc8c3b9284c4e81e84581f2ab9ea7f680ad14d7470f52
                                                    • Instruction Fuzzy Hash: 16810430E02301AFDB45DF65D848ADFBBB7EF8A340F14816AE84697256D7318A45CBE0
                                                    Function 06EE0E28 Relevance: .2, Instructions: 213COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89f100234cae6fee5c6cc1119e4538792b157a3e8f52bdfd686697c31a86173c
                                                    • Instruction ID: 757ec005f140bdecd3f237df319a1c9b97edad2d81eb52f6d1d498bd3e99a5c8
                                                    • Opcode Fuzzy Hash: 89f100234cae6fee5c6cc1119e4538792b157a3e8f52bdfd686697c31a86173c
                                                    • Instruction Fuzzy Hash: E581AD35A002099FCB41DFA9D8849EEFBF6FF89314F14816AE505EB211D730A955CBA0
                                                    Function 06EECA88 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e6b949ac7e3d63484127b177218cc6bdd769a7bc5665aae90a2fc9acf2bb8173
                                                    • Instruction ID: 82987df35be9436ea853975acc3b2f2b6ab11c58e9b7438cd58309624c30c7b4
                                                    • Opcode Fuzzy Hash: e6b949ac7e3d63484127b177218cc6bdd769a7bc5665aae90a2fc9acf2bb8173
                                                    • Instruction Fuzzy Hash: 8A51B071A003459FCB51CF68C890EAABBF2FF45324F258595E966DB3A6C730E944CB60
                                                    Function 06EE1BC8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 196c4776013d33649ff9bcc9a4372266e1010fc306ebe74d6c324d49904b85ab
                                                    • Instruction ID: fc60f6fd1bc775ca8859ff33e155f242b871dd1eac0711389e5a3f249db3439e
                                                    • Opcode Fuzzy Hash: 196c4776013d33649ff9bcc9a4372266e1010fc306ebe74d6c324d49904b85ab
                                                    • Instruction Fuzzy Hash: D651DF74E007489FDB65CFA9C884A9EFBF2BF48300F058569E44AAB761D770A985CF40
                                                    Function 06EE2E20 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b42392c7e7755d43e98a8aeea2026bfa430397fea009003c68cf3ac70b9b5c6f
                                                    • Instruction ID: 8342c07591ddc13fb357ab87ba6d1326ad8024991a06ddb73dd4631a29ea7aae
                                                    • Opcode Fuzzy Hash: b42392c7e7755d43e98a8aeea2026bfa430397fea009003c68cf3ac70b9b5c6f
                                                    • Instruction Fuzzy Hash: 21418F30A14B408FE7B18E35C58476677E9BF44318F14A95DD58383AA2C778FAC8C761
                                                    Function 06EEDC30 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 64bbadb0f2badd309ecee3fb16120bff9fc99b89b7aa9512909676db23391863
                                                    • Instruction ID: 67c24bde812324ca86fefd24b08bd222982b2a16f02c7fa7ab393befe4af5128
                                                    • Opcode Fuzzy Hash: 64bbadb0f2badd309ecee3fb16120bff9fc99b89b7aa9512909676db23391863
                                                    • Instruction Fuzzy Hash: 01410434700600CFC758CF29C988A2ABBFAFF88214B1556A9E5468B772CB71EC81CF50
                                                    Function 06EEEB90 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b50cfa6215d1ba39584841debd6c9d95993b2ef9763f087974d89599b2402147
                                                    • Instruction ID: 1426eb4696a4dd7d0e438485d9450551bc871faf38cd0020c7fe974bd2825c18
                                                    • Opcode Fuzzy Hash: b50cfa6215d1ba39584841debd6c9d95993b2ef9763f087974d89599b2402147
                                                    • Instruction Fuzzy Hash: 0B417B71F003198FCB98EF69D85446EBBB7EF88210B0455A9D906DB3A5EB309D41CBA1
                                                    Function 06EE88CA Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b11cd03b30e9fbff11363dcad4dd580ebf7684bd7cb1cc67b87fee9747d7b8d
                                                    • Instruction ID: 51580c55ead0c05e3a45ec165b08e0a9894cec2c2eb98ea94e84e6c72fc7683d
                                                    • Opcode Fuzzy Hash: 1b11cd03b30e9fbff11363dcad4dd580ebf7684bd7cb1cc67b87fee9747d7b8d
                                                    • Instruction Fuzzy Hash: 9C41A035A012619FCB05CF28E58886EBFF2FF443257068096E44A87362CB34DD01CBA1
                                                    Function 06EEDDE8 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 370bbed5ab4f7f5c7c03b5b22d03581f12e3e8534c60148eb87e75958d13f814
                                                    • Instruction ID: 911e70ccf8968589d653adb7b3dcfb49d8c71d56d04a5cb1b4bceaebd1c88e67
                                                    • Opcode Fuzzy Hash: 370bbed5ab4f7f5c7c03b5b22d03581f12e3e8534c60148eb87e75958d13f814
                                                    • Instruction Fuzzy Hash: 1A313A75F007168FCB68DF68DC849AEB7B6FF88214B1404A9D925EB361D730E941CBA0
                                                    Function 06EE11E8 Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 041df134775606a181aa7946b9dd187cf86d6c97183348a96f2ada0dd3435223
                                                    • Instruction ID: 231c6c609a9eb9aa8895381de1e7721b4925f70d461dbb3b57bded469464dfb2
                                                    • Opcode Fuzzy Hash: 041df134775606a181aa7946b9dd187cf86d6c97183348a96f2ada0dd3435223
                                                    • Instruction Fuzzy Hash: DB21AB30B002159FDB409FA9E8086FEBBA7FB8A341F008429F902D7381DB759C018BA1
                                                    Function 06EEEB82 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6b18b779f07b70b791667f6da3fd869c293abe6aec2a5e809469387b781965e
                                                    • Instruction ID: f30903273768b09a6bb4beb5a149cfb9997a09fc5371ca7f83edd65b19621a4b
                                                    • Opcode Fuzzy Hash: b6b18b779f07b70b791667f6da3fd869c293abe6aec2a5e809469387b781965e
                                                    • Instruction Fuzzy Hash: 87217C31F003159FCB98DF69D9549AEBBBBFF88200B0455A9D9068B2A5DB309D40CBA1
                                                    Function 00D6D210 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756690679.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_d6d000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4aa62fc43238f3ce756563733b1841ee693be909bf20aa1406fb6c9b6cf350ec
                                                    • Instruction ID: a8367c9652833cde625cfd64f271dae86e728111c129a31aae995a7d79095818
                                                    • Opcode Fuzzy Hash: 4aa62fc43238f3ce756563733b1841ee693be909bf20aa1406fb6c9b6cf350ec
                                                    • Instruction Fuzzy Hash: CF212171A04200DFCB05DF04E9D4B2ABF66FB98310F24C569E9090A25AC336D816CBB1
                                                    Function 06EE31C9 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82c13089f70256cd0da045f2d23d1ab613f53d419aaefeab49265b123bf99344
                                                    • Instruction ID: f6800ccbad777df2b61a17a0cf1efc1394d0607b46af412d28ce276bde6c8464
                                                    • Opcode Fuzzy Hash: 82c13089f70256cd0da045f2d23d1ab613f53d419aaefeab49265b123bf99344
                                                    • Instruction Fuzzy Hash: B1217931A017009FC769CF69C944D56BBF6BF89314B0AC5AAE54ACB762CB34ED44CB90
                                                    Function 06EEE932 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b50457e4b2d2d05693da5d6c1c6d1f1c99ba85b66877c425a07bbcc41110933
                                                    • Instruction ID: 468e005737c51957caf3e8c3423d2e252a1eaab6d0e5fcae71732258947aa43a
                                                    • Opcode Fuzzy Hash: 8b50457e4b2d2d05693da5d6c1c6d1f1c99ba85b66877c425a07bbcc41110933
                                                    • Instruction Fuzzy Hash: 6A214C3090A315DFEBD96BB4A4095B97BB7AB4121130535E6F20396A81DB724D00C7A3
                                                    Function 00D7D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756733103.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_d7d000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 081adc72137cec5f7916660067bbb231f3cd26a9082a832100d8be171409a9ee
                                                    • Instruction ID: 56203368ea0473104d3c94760e698ca405fb329a28998851b324bd97a3c62ae3
                                                    • Opcode Fuzzy Hash: 081adc72137cec5f7916660067bbb231f3cd26a9082a832100d8be171409a9ee
                                                    • Instruction Fuzzy Hash: A021FF75604200DFCB14DF24D984B26BBB6EF88314F24C56DE84E4B296D33AD847CA71
                                                    Function 06EE11D9 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c2224c3f74f704c66a64e3fad4dbe59a89b890ec50c4063afeb8cc1ff5931256
                                                    • Instruction ID: 1dc69209ec6d3981aca925c981d98b58eca4286728839a6eb8ae334b73b9a108
                                                    • Opcode Fuzzy Hash: c2224c3f74f704c66a64e3fad4dbe59a89b890ec50c4063afeb8cc1ff5931256
                                                    • Instruction Fuzzy Hash: 7F21CF35B002559FCB409FA9D844AFEBBB6FF8A340B048429F952D7381DB399914CBB0
                                                    Function 06EED550 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee78506de5ae022d437bf0e65d3214042c0cf7ca428aebff5d87593ed8fc45e7
                                                    • Instruction ID: 996a59fefce95a9bd6c4757639b019135d6f5a60ec30520a2dfc22a8382dec40
                                                    • Opcode Fuzzy Hash: ee78506de5ae022d437bf0e65d3214042c0cf7ca428aebff5d87593ed8fc45e7
                                                    • Instruction Fuzzy Hash: CA216071E01216DFCB14CF65D68496ABBF2FF89314B148169D809AB325D731ED45CF90
                                                    Function 06EED541 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 677ae2862ccfb2d1ab7d61052eca168536a08071c8126a9483dfe6b76589f2ba
                                                    • Instruction ID: 7c50e07b8f2d73a0c7b0982eee867c0feef5830fa5700c54608f0dc868ef255d
                                                    • Opcode Fuzzy Hash: 677ae2862ccfb2d1ab7d61052eca168536a08071c8126a9483dfe6b76589f2ba
                                                    • Instruction Fuzzy Hash: 39218B74A00216DFCB14CF68CA8496ABBF2FF88318B108169E809AB325C731ED45CFD0
                                                    Function 06EE387C Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99f2119577e5d03657c613aa495722182b7ceb79742a811fc7044fda19cb6d9c
                                                    • Instruction ID: aadd5ea1689039fafc1e49b38e2ff9bca2172ef8a327f6a435bf56e4bbc463eb
                                                    • Opcode Fuzzy Hash: 99f2119577e5d03657c613aa495722182b7ceb79742a811fc7044fda19cb6d9c
                                                    • Instruction Fuzzy Hash: 92119A34E057059FC7A0CB69C604BAAFBE5FF40318F4491AAD849CB652E734E904CBA1
                                                    Function 06EE0006 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49e5fb29e3f3e1acdaff7331e6523eb0a9c1467afda2fda6d9c56b289634e9e8
                                                    • Instruction ID: 26d15e2c536103f859cc2dbd1466f6793c5e0066d5e8262743c75e6f96d819be
                                                    • Opcode Fuzzy Hash: 49e5fb29e3f3e1acdaff7331e6523eb0a9c1467afda2fda6d9c56b289634e9e8
                                                    • Instruction Fuzzy Hash: 1D11E03194E3D1AFE3939A205C105A67FBA9E432A434D04DBE484CB163E2694E68D3B1
                                                    Function 06EEE7A8 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa1733cd3a4faccc0abfe889c4077915ebdadbef9236ff5a687492cf942804fe
                                                    • Instruction ID: 682b67d4ea906b8bc543ff6cb5ca15138a98e64b14e795675781b1297f44f5c9
                                                    • Opcode Fuzzy Hash: aa1733cd3a4faccc0abfe889c4077915ebdadbef9236ff5a687492cf942804fe
                                                    • Instruction Fuzzy Hash: 4C11CE31F003149FD7E4AAAD994096AF6CBEBC8250B058A2AD51A8F758DE70EC4983D5
                                                    Function 06EEDB78 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47b437c0e61114469130b20c74e0ca6d732782ee0198febc0c0941098677dd0c
                                                    • Instruction ID: 51f136dbc35f09b125c3ec8abfc5c0ed36cdaf79c353f0be4ebf8408a6da2102
                                                    • Opcode Fuzzy Hash: 47b437c0e61114469130b20c74e0ca6d732782ee0198febc0c0941098677dd0c
                                                    • Instruction Fuzzy Hash: 40110830B083598FCBA95F389D1012A7FEA9F8528471414A6D54ACF392DE35CD41CBE1
                                                    Function 00D7D005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756733103.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_d7d000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ee4d31e2bc85eab346fbf3eaa793b278f0df2564cc00b28ba072a908988a134
                                                    • Instruction ID: 268f4b3e82eacaa02429424ac1a371da7bb332cc84f9fa87ec42cabc722aff08
                                                    • Opcode Fuzzy Hash: 4ee4d31e2bc85eab346fbf3eaa793b278f0df2564cc00b28ba072a908988a134
                                                    • Instruction Fuzzy Hash: 7F214F755093808FDB12CF24D994715BF72EF46214F28C5EAD8498B6A7D33A980ACB62
                                                    Function 06EEE798 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfc81d4a00ed1ba8296be5638b4cc8a4cd57f0f5c0c155d3b60d1166292fe46e
                                                    • Instruction ID: c4ce2d85ca8287fe93df5f0796775aad6b7e7ae5202b13d7b8055f1c31d7399d
                                                    • Opcode Fuzzy Hash: cfc81d4a00ed1ba8296be5638b4cc8a4cd57f0f5c0c155d3b60d1166292fe46e
                                                    • Instruction Fuzzy Hash: 9F11E131B053105FDBA19BAD99408ABF796EFC4310B04862AE51A8F359DA70EC49C3E5
                                                    Function 06EE3861 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3b10089f7f61688a5dd24633d9608e5a4048ebea3e08372a33b28e526832552
                                                    • Instruction ID: a287616000a1cc6b0b165163b7b2ca2955dd377a42dbbe0acc221f7e1c36e801
                                                    • Opcode Fuzzy Hash: c3b10089f7f61688a5dd24633d9608e5a4048ebea3e08372a33b28e526832552
                                                    • Instruction Fuzzy Hash: 1D11B135E007018FC7A0CB28C5047A9FBF1BF40318F48A1AAD849DB292D339E945CF81
                                                    Function 06EE65B9 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d9087a5a1b5f913e98bc7b3f46dabca0e350ab5a7e396046ec57b8185558a8e0
                                                    • Instruction ID: e4b89cc5f80abda0249e1fc6730c4ec96f523f3d6f9fe526d7cd72c20dc561ef
                                                    • Opcode Fuzzy Hash: d9087a5a1b5f913e98bc7b3f46dabca0e350ab5a7e396046ec57b8185558a8e0
                                                    • Instruction Fuzzy Hash: 5E1193356012409FC704CF28D844D9EBFB2FF89324B15819AE549CB362CB31ED06CBA0
                                                    Function 06EE7AC8 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0aaa6ccede45128779a75ecc6bf6edb4e8b0fadfc4638eef8cb4dc6b96eaae0d
                                                    • Instruction ID: e276fecea892e8855fbb15404c3428aab36c553cc62542e055bec5f4ee046d27
                                                    • Opcode Fuzzy Hash: 0aaa6ccede45128779a75ecc6bf6edb4e8b0fadfc4638eef8cb4dc6b96eaae0d
                                                    • Instruction Fuzzy Hash: 75113D75B04258CFCB44DFB8D4545AE7BF2EF89300B1144AAE206DB3A1DE319D09CBA1
                                                    Function 06EEE940 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e330cbc58c9a794b4bfad146263ff731ce0aa63991244b3732d71bfc723b03a
                                                    • Instruction ID: 04367227378552bda0c601dc256d3fd666b6b276fe18c9f1290d666e23a6e739
                                                    • Opcode Fuzzy Hash: 3e330cbc58c9a794b4bfad146263ff731ce0aa63991244b3732d71bfc723b03a
                                                    • Instruction Fuzzy Hash: 5E11F130909215CFEBD96BB5A00D67C7BF7AB4131234175A6F20796A80EF728D008BA3
                                                    Function 00D6D20B Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756690679.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_d6d000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                    • Instruction ID: 0d76ebeef4e239fc068db7e49da43a280178cff2d24ea882e216cc397cf102c9
                                                    • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                    • Instruction Fuzzy Hash: 6A21D676504240DFCB06CF54D9C4B16BF72FB98314F28C5A9DD050B656C336D856CBA1
                                                    Function 06EE4AA9 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1773f9ca59aa9b0be57e8ed15656df4822a32f2af3dd3c99ee5d93d42bdd3a0
                                                    • Instruction ID: 015b7531cfbaebb52f3e0b191f8ff85b661201bf7b17112c0127f3648819322b
                                                    • Opcode Fuzzy Hash: e1773f9ca59aa9b0be57e8ed15656df4822a32f2af3dd3c99ee5d93d42bdd3a0
                                                    • Instruction Fuzzy Hash: 3811E375A00215DFCB05DF64D9448AEBFF7FF883107105169E606D73A5EB308945CBA1
                                                    Function 06EED619 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd972f988da5b2068d8170a329fd0be477705bb93d751143447c9c3573a9ec48
                                                    • Instruction ID: b5fbfe03119ef2247284be171db80e3a0564cc6361e9e3b00e13df2f7048a22e
                                                    • Opcode Fuzzy Hash: cd972f988da5b2068d8170a329fd0be477705bb93d751143447c9c3573a9ec48
                                                    • Instruction Fuzzy Hash: AF11C671600601DFD710DF29E844E9AFBF6FF88314B048569E40987755CB31ED85CBA0
                                                    Function 06EED628 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 256cf7018cfc64a895d61e285cb760a8727b0f26107a6ae7aeace76da638aa2b
                                                    • Instruction ID: 5b6f06bf446a48e4dd603babfc1ab73fb32c5fd143c2c373b6790073837708a8
                                                    • Opcode Fuzzy Hash: 256cf7018cfc64a895d61e285cb760a8727b0f26107a6ae7aeace76da638aa2b
                                                    • Instruction Fuzzy Hash: 3611C2716002019FC7109F29E84495AFBE6FF89324B00856AE44987311CB31ED49CBA0
                                                    Function 06EE7668 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1608956be3cb61e8f60a471d7bdc8603d2067a64d9d6916f360450f2e6d0d677
                                                    • Instruction ID: bc0dfd39ec35242a3fa401a46128bd87336e4d4cfd067e1df63244333953f296
                                                    • Opcode Fuzzy Hash: 1608956be3cb61e8f60a471d7bdc8603d2067a64d9d6916f360450f2e6d0d677
                                                    • Instruction Fuzzy Hash: E60126316093744FD7056B7CA46509E7FA9DF8129470544D3E085CB291DE248946C3EA
                                                    Function 06EEFC00 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d7a14ee819dad3887491a2198e4dcc808722886a0d626b23df05bad78842f42
                                                    • Instruction ID: 68d802b59a82bc338204c9105ffb86531b4baf98046d08980a2f828e9472d7ab
                                                    • Opcode Fuzzy Hash: 8d7a14ee819dad3887491a2198e4dcc808722886a0d626b23df05bad78842f42
                                                    • Instruction Fuzzy Hash: E001A272B0021D9BCB90DAA9AC44ABFF7EEEBC8250F14403AEA14D3240DB71991587E5
                                                    Function 06EE65C8 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7eb8ab5a88a9a9996b0edd1ee5c5091207ba13e5269f67378b00e7222e11f808
                                                    • Instruction ID: b2ee437e3c01629d27cd9cc1ac394af4955b404211ec9efaacb8902c03dbf506
                                                    • Opcode Fuzzy Hash: 7eb8ab5a88a9a9996b0edd1ee5c5091207ba13e5269f67378b00e7222e11f808
                                                    • Instruction Fuzzy Hash: B71170356002059FC704DF68D884D9EBBF6FF89324B148569E9198B362CB71ED46CBA0
                                                    Function 06EE2FA0 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98aa68fecab290327f8b39d09da561380f1c439fbf29cb05436a9467966617cf
                                                    • Instruction ID: fed947f48f3310a90a5da30f82913c24de01be04557fd3984bb58a0f31c41501
                                                    • Opcode Fuzzy Hash: 98aa68fecab290327f8b39d09da561380f1c439fbf29cb05436a9467966617cf
                                                    • Instruction Fuzzy Hash: 7E01A43101D7D46FD76287745E567B53FA85F02118B5C21CBE188CB4A3DA0A8696D362
                                                    Function 00D6D5D9 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756690679.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_d6d000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76c452be61380567203dd1634a86ae06f3be7df5207e40965673a0afc8aab320
                                                    • Instruction ID: 06452e4b944b206876b9dec084017cc6d532abe437cdee481c7d58dc0060d4aa
                                                    • Opcode Fuzzy Hash: 76c452be61380567203dd1634a86ae06f3be7df5207e40965673a0afc8aab320
                                                    • Instruction Fuzzy Hash: 25012B31A08304DBE7108B5ADD84767BFD9DF41324F1CC52AED4D4A296C639DC40CA71
                                                    Function 06EE6EB1 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a9cc9321a20d8bf18a2f64878cdc11616e40ba6d06e4e2e4d46f1837aee9b4fc
                                                    • Instruction ID: 2df7909fa60fa5a46c2b3ed782f30e2d9821493b796f06ea1d0ee40d4410680f
                                                    • Opcode Fuzzy Hash: a9cc9321a20d8bf18a2f64878cdc11616e40ba6d06e4e2e4d46f1837aee9b4fc
                                                    • Instruction Fuzzy Hash: AC016D31A013058FDB94DF64D9197EEBBF5AF48604F24906AD806E7650DB769D00CBA0
                                                    Function 06EE75F8 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5572b1a5c0f71be85bac3e04f4b3418c0481c7ce8f341147baea4e7339f19255
                                                    • Instruction ID: 83417d9b160752e9a20b3f69bca26d753581a744347c748be45a2776cc91d7ee
                                                    • Opcode Fuzzy Hash: 5572b1a5c0f71be85bac3e04f4b3418c0481c7ce8f341147baea4e7339f19255
                                                    • Instruction Fuzzy Hash: EFF0B432B28326CF8F889FADF4044AA77E9EB4452971050ABE00DC7250EE31D981C780
                                                    Function 06EE8932 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1aea47e224af61b2dead9d18f41ffbb634132b2ac7239b8e93343123d273036b
                                                    • Instruction ID: 0c2d409dc5d79eac1127107d636b79e2020d767cb3c5bcbb3d1e45bc85515b8f
                                                    • Opcode Fuzzy Hash: 1aea47e224af61b2dead9d18f41ffbb634132b2ac7239b8e93343123d273036b
                                                    • Instruction Fuzzy Hash: CEF0F632E01621AFC7118B48C644EA7FB69AF4032470AC587E45D9B312CB31EC0487E2
                                                    Function 00D6D5D8 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1756690679.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_d6d000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d5e7ab4fd0281c139cddd28987ec9977ce6a16a30f230d91adc4fb7073fe5cbe
                                                    • Instruction ID: c94e923003eda9b2494662372c75f19d109c01fcdd06c2cb76ffee152162e67f
                                                    • Opcode Fuzzy Hash: d5e7ab4fd0281c139cddd28987ec9977ce6a16a30f230d91adc4fb7073fe5cbe
                                                    • Instruction Fuzzy Hash: BFF062715083449EE7108A16D984B62FFA8EF91734F18C55AED0C4A296C27A9C44CA71
                                                    Function 06EEEB32 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b8573caef172eca8bd32085599a934e4e96e2a6628e93eeb109a739e422b053
                                                    • Instruction ID: fb1fd328dfd4ab25906820fa6ae8c371e849aa854241ac524179aec7b7911c35
                                                    • Opcode Fuzzy Hash: 1b8573caef172eca8bd32085599a934e4e96e2a6628e93eeb109a739e422b053
                                                    • Instruction Fuzzy Hash: F8E092716553242FC385AB6C9A1089A3FAFBFC921030506D6E64A4F777CF509E4487F6
                                                    Function 06EEDB68 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99adb435ee07d5a6b6b16884b490d0f7717680806db7d43b9ddb47882c016fea
                                                    • Instruction ID: 6d84f9e14181cde6340861747f34e7827af46c3463bdfa51cff99b62db9f370c
                                                    • Opcode Fuzzy Hash: 99adb435ee07d5a6b6b16884b490d0f7717680806db7d43b9ddb47882c016fea
                                                    • Instruction Fuzzy Hash: 3AF065357493959FC7159F14DE108A67FED6E4524030512D6E448CB267DA24DE41CBF1
                                                    Function 06EE88F0 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0695d45463a80b821dea86ea57516ae622e6ed1281e90646f9816c471fc7f012
                                                    • Instruction ID: 08a218077084fb7cc93bceee638bec0f36d4285f673bd06a6b131e57cae854e0
                                                    • Opcode Fuzzy Hash: 0695d45463a80b821dea86ea57516ae622e6ed1281e90646f9816c471fc7f012
                                                    • Instruction Fuzzy Hash: 0EE09236B1E3A14FC7064159399547A6F996ACA02531910ABF449D7343CD558905D3B2
                                                    Function 06EE8900 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46963bd457cdea30d9aa4ed096d9de96dba3dab6ba201f32518a5f99407ab7c1
                                                    • Instruction ID: cd5cdf752a4d54a7703c12c132b8b8414cceca74837d71eedefcc52d8068fffa
                                                    • Opcode Fuzzy Hash: 46963bd457cdea30d9aa4ed096d9de96dba3dab6ba201f32518a5f99407ab7c1
                                                    • Instruction Fuzzy Hash: ABD05E36B25234170614154F78C983BBBCEF7CC53A354103BF50EC3300DE958C0642A1
                                                    Function 06EE7658 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 17a0f5e2ea3222d8cd37191fe0b66ae9e2c6b4cea3238af6dc2dc4a23e659182
                                                    • Instruction ID: d6939efd297a4e1da7f8fce265e17e59e93a54f1da3752cdd6837c26100c51a7
                                                    • Opcode Fuzzy Hash: 17a0f5e2ea3222d8cd37191fe0b66ae9e2c6b4cea3238af6dc2dc4a23e659182
                                                    • Instruction Fuzzy Hash: 51D0A71151B76427431316292C008EEBF5F5D468343950392F235C61E3CE444D4082E6
                                                    Function 06EEEB40 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 168bac0a9cc6f6831891509d6f346462b70dda73942ffc209870bc3e7f770ef3
                                                    • Instruction ID: a0a7ab270d312585e705d854b0c6d0859844f1e215e857037cec84b74b6fb222
                                                    • Opcode Fuzzy Hash: 168bac0a9cc6f6831891509d6f346462b70dda73942ffc209870bc3e7f770ef3
                                                    • Instruction Fuzzy Hash: E5E012717402245F86C8BB5CD51085977DAFFC831070106E5D55E5F769CF60EC4587EA
                                                    Function 06EEE0F0 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fcf91b967d4d72d57e9a28dc742d9121f08e020c9d24c59a0c83ff38ad374dfa
                                                    • Instruction ID: f917643788985a532a4465dba49ffb5789ad3a7865633d5f6a12005488753e03
                                                    • Opcode Fuzzy Hash: fcf91b967d4d72d57e9a28dc742d9121f08e020c9d24c59a0c83ff38ad374dfa
                                                    • Instruction Fuzzy Hash: 27E0CD76A042404FC7524F64F4584777FE6AB85124304459FE8E6C7B56C716DC85C791
                                                    Function 06EE81B2 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dce85e15d057902c878b65d87d4ddbcb49176f1cf9c6307ea2a1a82eae2e309e
                                                    • Instruction ID: fff695717dadb3feff729fde10f194daed261edebcadfd47cfbd3aefb4a0bd56
                                                    • Opcode Fuzzy Hash: dce85e15d057902c878b65d87d4ddbcb49176f1cf9c6307ea2a1a82eae2e309e
                                                    • Instruction Fuzzy Hash: 4DD0A734740208DFCB84DBDCD5004F97773DB85215B000065E22ACB720DB319D1CCB81
                                                    Function 06EE7C04 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91f2fc86e41c844b37a5137a2827df5f674195b8d873b5b9bb99bac13d5e8345
                                                    • Instruction ID: fb011fcd389d3e4913af1f100c1da2eb7a2cd9d68c65ffd79f1f193386972b07
                                                    • Opcode Fuzzy Hash: 91f2fc86e41c844b37a5137a2827df5f674195b8d873b5b9bb99bac13d5e8345
                                                    • Instruction Fuzzy Hash: 99D0C935F40404DF8B84DFADE0404DD7BF2EFC9215B4000A6E20AC7224DB3198558F81
                                                    Function 06EE7E6C Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4d8260db931bb86c1036d5f440c9859d4d1c5f2fe9c6572c3888942775dca9c
                                                    • Instruction ID: 26d065de74ae9340371ae822357e8defc61a8c8237297a86916053260314649e
                                                    • Opcode Fuzzy Hash: d4d8260db931bb86c1036d5f440c9859d4d1c5f2fe9c6572c3888942775dca9c
                                                    • Instruction Fuzzy Hash: 0BD01235740010CF8B84DA5CD0004D977A2EFC421574010A6F207C7634CB31DC958BC1
                                                    Function 06EE7DCA Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94ea170b6998a92b004a14ef5c330125fdb3773937eef3a8a8912f241bf79766
                                                    • Instruction ID: 33ca9567e991eb78d1669d59932400535327125d6608336f287858b416406ea0
                                                    • Opcode Fuzzy Hash: 94ea170b6998a92b004a14ef5c330125fdb3773937eef3a8a8912f241bf79766
                                                    • Instruction Fuzzy Hash: 6FD0C935750000CF87849A98D40049977A6EB84615B4010E6E206C7264CA2198148781
                                                    Function 06EE7D28 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d5ccaa2657ac6a8c1e8befacf99e3f4028a74bf638dee84b68e357e4dfae45d8
                                                    • Instruction ID: 913dadc19b08cb090db26917ba2d1c9e09673983bf89b4d40b3daef6784fa309
                                                    • Opcode Fuzzy Hash: d5ccaa2657ac6a8c1e8befacf99e3f4028a74bf638dee84b68e357e4dfae45d8
                                                    • Instruction Fuzzy Hash: BCD01235740410CF8784DB5DD5058DD7BE2EFC421575140A6E20BC7224CF31DD144B81
                                                    Function 06EE88D8 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1773695305.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_6ee0000_MSBuild.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 016dfbdd7ee1b97d95b9f996ed712c57e5e0987bc34a75c5757ae5cbeba8a2e2
                                                    • Instruction ID: d55caf6352f4bcdc23eb805ad81c7a84bb64a682f74e8d7ef4ee5802687920f2
                                                    • Opcode Fuzzy Hash: 016dfbdd7ee1b97d95b9f996ed712c57e5e0987bc34a75c5757ae5cbeba8a2e2
                                                    • Instruction Fuzzy Hash: C3C09230912380CFCB06CF24D0888007BB2AF4230935940D9E0498F922CB36DCC2CB10